An IS auditor reviewing an organization’s IS disaster recovery plan should verify that it is:
tested every six months.
regularly reviewed and updated.
approved by the chief executive officer (CEO).
communicated to every department head in the organization.
The plan should be reviewed at appropriate intervals, depending upon the nature of the business
and the rate of change of systems and personnel. Otherwise, it may become out of date and may
no longer be effective. The plan must be subjected to regular testing, but the period between tests
will again depend on the nature of the organization and the relative importance of IS. Three months
or even annually may be appropriate in different circumstances. Although the disaster recovery
plan should receive the approval of senior management, it need not be the CEO if another executive
officer is equally or more appropriate. For a purely IS-related plan, the executive responsible for
technology may have approved the plan. Similarly, although a business continuity plan is likely to
be circulated throughout an organization, the IS disaster recovery plan will usually be a technical
document and only relevant to IS and communications staff.