IT Disaster Recovery Plan and Process Guide

How to use this plan and process guide

This guide for technical users. Technical users include:

• Technical architects
• DevOps specialists
• IT service managers
• Software developers

This plan and process guide is part of a set of Ministry of Justice (MoJ) policies and supporting guides that cover various aspects of incident and disaster management and response.

The policies are:

• IT Security Incident Management Policy
• IT Disaster Recovery Policy
• IT Investigations - Planning and Operations Policy

The supporting guides are:

• IT Security Incident Response Plan and Process Guide
• IT Disaster Recovery Plan and Process Guide

This guide gives information on how to create and develop an IT Disaster Recovery Plan for your MoJ IT system or service.

The National Cyber Security Centre (NCSC) also offers guidance on how to effectively detect, respond to and resolve cyber incidents.

Business Impact Assessment

The service or system owner should carry out a Business Impact Assessment (BIA) in order to:

• get an overview of the Business as Usual (BAU) functions for the MoJ IT system or service
• get an understanding of the business criticality of the service the MoJ IT system supports
• calculate a Recovery Point Objective (RPO), this is the maximum amount of data the business can afford to lose during a disaster
• calculate a Recovery Time Objective (RTO), this is the amount of time before the disaster begins to seriously impede the flow of normal business operations

Suggested content

Disaster recovery plans are specific to each individual IT system or service. They are intended to offer guidance to every listed role when responding to an incident.

When deciding the content of a Disaster Recovery Plan for an MoJ IT system or service, a useful start is to identify every potential disaster that may affect the system or service, together with procedures to resolve each one.

Each Disaster Recovery Plan should include:

• the point at which the recovery plan should be used
• a clear and detailed process to recover the MoJ IT system to BAU
• a list of key roles and a description of their responsibilities - each role should have at least two sets of contact details
• a list of internal and external stakeholders to be contacted as soon as the incident happens, each stakeholder should have at least two sets of contact details
• a communication list of everyone who needs to be contacted, together with the chains of communication that shall be followed
• a list of people who can undertake the role of recovery manager
• a series of steps to follow in order to mitigate the incident
• a list of criteria needed to initiate a forensic investigation, and the role(s) responsible for it
• clear instructions on how to escalate to a higher level of incident response, to include names and contact details and the reason for escalating the incident
• methods to maintain business continuity whilst the MoJ IT service is unavailable
• a process to identify and capture lessons learned during the incident
• the requirement for a written report for medium and high impact incidents

All plans should be stored securely both online and offline. Roles and stakeholders mentioned in the plan should know of its location and be able to access it.

Reviewing and testing

Disaster Recovery Plans shall be reviewed regularly, and updated if there have been any changes to systems or services, personnel, or communication chains.

Plans shall be tested and practiced regularly to help familiarise each of the roles with their responsibilities within the response process.

This is not an exhaustive list. If you need support in creating a plan, please contact the Service Operations Centre (SOC) and the Major Incident Team.

Contact details

For any further questions or advice relating to security, contact: security@justice.gov.uk.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.