Stay informed about cyber awareness training topics and mitigate risk in your organisation.

How to Write a Disaster Recovery Plan (And Why You Need One)

Disaster Recovery Plan

about the author

Share on linkedin
Share on twitter
Share on facebook

Whatever form a disaster takes, the best way to deal with it is to be prepared by turning to a well-thought-out Disaster Recovery plan. Staying cool and calm under pressure is much easier when you have someone (or thing) to guide you through a bad situation. Disasters take many forms from natural disasters to cyber-attacks and accidents.

Cyber-attacks, such as ransomware, can be disastrous for a company, often halting work altogether. The impact from accidental document losses or a malicious security breach can be serious, including lost reputation, regulatory fines, and system and business downtime. Creating an actionable Disaster Recovery plan gives an organisation the best possible chance to minimise any impact of a disaster such as a flood, fire, or cyber-attack.

Here is our guide to what a Disaster Recovery plan is and how to write one.

What is a Disaster Recovery Plan?

In the Hitchhiker’s Guide to the Galaxy, the Encyclopaedia Galactica begins with the words “Don’t Panic”. An effective Disaster Recovery plan (DR) doesn’t need to have those words emblazoned across its cover because it is a reasoned go-to guide to dealing with a disaster. A DR plan is an organisation’s documented instruction guide to responding to incidents including natural disasters such as floods, power outages, cyber-attacks, data breaches, and so on. The plan presents a series of strategies that help to minimise the impact of a disaster; the goal being to maintain business operations and to resume work as soon as possible.

Why do You Need to Write a Disaster Recovery Plan?

Bad things do happen and often without warning, resulting in widespread disruption. The 2015-2016 UK storms, for example, resulted in a £1.6 billion economic impact, with businesses spending over £500 million on flood damage. Cyber-attacks are also a disaster waiting to happen: in 2020, 65% of medium-sized businesses experienced a cyber-attack, according to a 2021 DCMS survey. Insider threats can be disastrous too, with costs surging, according to The Ponemon Institute: the last 12 months has seen the average annual cost of an insider breach rise by 31% to $11.45 million (£8.27 million).

Disasters are often unavoidable, but they can be managed to minimise their impact – this is where the Disaster Recovery plan comes in.  A DR plan is designed to:

  • Limit the impact of the disaster on the business
  • Minimise the impact on business processes and operations
  • Minimise any physical or cyber-damage
  • Reduce the costs associated with the disaster
  • Train staff in the processes identified to mitigate disasters
  • Identify ways of working while the disaster is being dealt with
  • Post-disaster recovery procedures

The Five Pillars of a Disaster Recovery Plan

Disaster Recovery plans are typically comprised of five key components:

  1. Roles and responsibilities
  2. What are the risk areas?
  3. Carry out a Business Impact Assessment (BIA)
  4. Asset audit
  5. Backups

Roles and responsibilities

Create a DR team that will be responsible for developing and maintaining the DR plan. Identify the key personnel involved in carrying out the duties involved in dealing with, and recovering from, a disaster. Effective dissemination of information and robust channels of communication are essential to an effective DR plan. Place personnel details, including contact and backup contact information, into an easily accessible log in the DR plan. This will be your master list of contacts. You should also build a backup team of contacts.

All employees must be informed about the DR plan and who is responsible for executing the plan in the event of a disaster. This will form part of a wider training program in disaster planning for all employees to understand what happens in the event of a disaster.

What are the risk areas?

Define the risk areas associated with a disaster. This typically breaks down disasters into types, e.g., natural, human-created, technology-related. Each type of disaster would typically have its own mitigation strategies. Outline what these mitigation strategies are and how each is implemented.

Carry out a Business Impact Assessment (BIA)

The effective management of a disaster requires prioritisation. A Business Impact Assessment (BIA) looks at the types of business activities and maps these to risk levels in terms of how critical they are to the company’s continued operations. This is mapped to the resource requirements of critical business operations that are needed to ensure operational resilience and continuity when the business is disrupted. In terms of disaster planning, a Disaster Recovery plan would typically focus on key business areas such as revenue generation and payroll. The goal, however, is to get full operations up and running as quickly as possible.

Asset audit

As part of a wider impact assessment, the DR plan should provide an audit of the most impactful applications, documents, hardware, etc., and their criticality to business operations. This is an ongoing process as these items can quickly change.


Having backups of key and sensitive documents is a fail-safe. Documents that are essential to a business can be lost or damaged in a disaster or encrypted in ransomware attacks. Ensure your policy includes a backup and recovery strategy that covers:

  • Who is responsible for backups?
  • What to save and how often to perform backups
  • How to save it (type of backup system used – this is especially important for ransomware resistance)
  • How to test the backup system and how often to test
  • How to recover from backups

It is also important to remember that a Data Recovery plan is a living document that requires regular updating. Creating a robust DR plan is an intensive process that dives into the weeds of your organisation and how you will cope in a worst-case scenario. It has many business-critical parts and collaboration with third-party experts should be considered to ensure a best-fit plan.

Is Your Disaster Recovery Plan Ready?

Every Disaster Recovery plan is unique to an organisation: a DR plan drills down into the core of an organisation’s business and how it operates. But a Disaster Recovery plan has people at its heart. Staff training on the implementation of the principles of a Disaster Recovery plan is vital to ensure that plan is carried out effectively. Our staff are the means to avert a disaster, but they need to be made fully aware of their role to avert or minimise the impact of that disaster.

Cyber Security Awareness for Dummies

you might enjoy reading these