cisa-d4-operations-resilience-disaster-recovery-plans

Disaster Recovery Plans

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Disaster Recovery Plans

A Disaster Recovery Plan (DRP) is a formally documented set of policies, procedures, and assigned responsibilities that enables an organization to restore its critical IT infrastructure, systems, and data to operational status following a disruptive event. It specifies who does what, in what sequence, using which resources, within pre-agreed time and data-loss tolerances. The DRP is the IT execution layer of a broader Business Continuity Plan (BCP): the BCP governs how the business keeps functioning; the DRP governs how the technology supporting the business is recovered. Two metrics anchor every DRP: Recovery Time Objective (RTO)—the maximum tolerable downtime before business harm becomes unacceptable—and Recovery Point Objective (RPO)—the maximum tolerable age of restored data at the moment recovery completes. A DRP is a living document: it must be owned by a named individual, tested on a defined cadence, and updated whenever systems change.

Where it stops · what it isn't

—IS: Documented recovery procedures for IT systems, infrastructure, applications, and data following a disruptive event (natural disaster, cyberattack, infrastructure failure, human-caused incident).
—IS: Defined RTO and RPO per system criticality tier, recovery team roles and contact trees, alternate processing site procedures, backup restoration sequences, and post-recovery validation steps.
—IS: A tested, maintained, living document updated whenever systems change—not a one-time compliance deliverable.
—IS NOT: A Business Continuity Plan (BCP)—the DRP is a subset and execution layer of the BCP, not a replacement for it.
—IS NOT: An Incident Response Plan (IRP)—the IRP addresses how to detect, contain, and eradicate a threat; the DRP addresses how to restore systems after the threat is contained.
—IS NOT: A backup policy—backup is one input to the DRP; the DRP orchestrates the entire recovery lifecycle, including failover, communication, validation, and return to production.
—IS NOT: A static compliance document—a DRP that is not tested and updated ceases to function as a recovery instrument regardless of how well it is written.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Business Continuity Plan (BCP)

REQUIRES

Data Backup, Storage, and RestorationBusiness Impact Analysis (BIA)

RELATED TO

Incident Response Plan (IRP)Crisis Communications Plan

ENABLES

Systems Availability and Capacity ManagementIT Service Level Management

CONSTRAINS

System and Operational Resilience

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.