How to Write a Disaster Recovery Plan + Template

  • July 10, 2024

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe


Cavan Leung

Senior Compliance Manager at Secureframe

A study found that only 54% of organizations have a company-wide disaster recovery plan in place. This percentage is even lower for government IT departments (36%) despite the proliferation of ransomware and other cyber threats. 

Not having a documented disaster recovery plan can seriously hamper an organization’s ability to recover lost data and restore its critical systems. This can result in significantly higher financial losses and reputational damage.

To help ensure your organization can recover from disaster as swiftly and easily as possible, learn what exactly a disaster recovery plan is and how to write one. Plus, find some examples and a template to help get you started.

What is a disaster recovery plan?

A disaster recovery plan (DRP) is a contingency planning document that outlines the procedures an organization will follow to recover and restore its critical systems, operations, and data after a disaster. Examples of disasters that may disrupt the continuity of product or service delivery are natural disasters, cyber attacks, hardware failures, power outages, and human errors. 

In planning for disaster recovery, what is the ultimate goal?

The ultimate goal of disaster recovery planning is to minimize the impact of a disaster, and ensure business continuity.

Having a disaster recovery plan in place that is well-designed and regularly maintained can help organizations:

  • minimize downtime
  • reduce financial losses
  • protect critical applications aginst data loss
  • resume operations quickly 
  • maintain service level agreements
  • provide peace of mind for employees

Disaster recovery plan vs business continuity plan

A disaster recovery plan and business continuity plan both take a proactive approach to minimize the impact of a disaster before it occurs and may even be combined into a single document as a result. 

However, the key difference is that a disaster recovery plan focuses on limiting abnormal or inefficient system function by restoring it as quickly as possible after a disaster, whereas a business continuity plan focuses on limiting operational downtime by maintaining operations during a disaster. 

In other words, a disaster recovery strategy helps to ensure an organization returns to full functionality after a disaster occurs. A business continuity plan helps an organization keep operating at some capacity during a disaster. That’s why organizations need to have both documents in place, or need to incorporate disaster recovery strategies as part of their overall business continuity plan. 

What are the measures included in a disaster recovery plan?

Just as no two businesses are the same, no two disaster recovery plans are. However, they do typically include some common measures. These are detailed below.

Data backup and recovery

A section of a DRP should be dedicated to data backup and recovery. This should list backup methods, frequency of backups, the storage locations, and the procedures for data protection and restoration.

Redundant systems and infrastructure

Another section may explain how the organization implements redundant systems and IT infrastructure to ensure high availability and minimize downtime if a disaster occurs. This may involve duplicating critical servers, network equipment, power supplies, and storage devices using clustering, load balancing, failover mechanisms, virtualization technologies, or other measures. 

Alternate worksite

A DRP may identify disaster recovery sites or recovery locations where the organization can operate if the primary site becomes inaccessible. This section should also define procedures and infrastructure needed to quickly transition operations to the identified alternate sites.

Communication and notification

Another part of DRP may define communication protocols and notification procedures to ensure communication during and after a disaster. Protocols and procedures typically include:

  • notifying management teams, employees, customers, vendors, and stakeholders about the disaster
  • providing updates on recovery progress
  • maintaining contact information for key personnel and emergency services

Recovery objectives

A DRP may set acceptable time frames for recovering systems and data in terms of recovery time objectives (RTO) and recovery point objectives (RPO). These objectives should be based on the criticality of systems and shape recovery strategies accordingly. 

  • RTO: The maximum amount of downtime allowed
  • RPO: The maximum data loss accepted (measured in time)

How to write a disaster recovery plan

Writing and maintaining a disaster recovery plan requires collaboration and coordination among key stakeholders across an organization and can seem intimidating. Below we’ll outline the process step by step to help you get started. 

1. Define the plan’s objectives and scope

To start, define the objectives and scope of your disaster recovery plan.

Objectives may include:

  • safeguarding employees’ lives and company assets
  • making a financial and operational assessment
  • securing data
  • quickly recovering connectivity and operations

Next, identify what and who the plan applies. Typically, assets utilized by employees and contractors acting on behalf of the company or accessing its applications, infrastructure, systems, or data fall within the scope of the disaster recovery plan. In this case, employees and contractors are required to review and accept the plan. 

2. Perform a risk assessment

Identify potential risks and vulnerabilities that could lead to a disaster, both internal and external to the organization. This should involve evaluating your reliance on external vendors, cloud service providers, and suppliers for critical services or resources and assessing their own disaster recovery solutions to ensure they align with your organization's requirements.

3. Perform a business impact analysis

Next, determine the business functions, business processes, information systems, and sensitive data that are essential for your organization's normal business operations. For each critical component, establish recovery time objectives and recovery point objectives. 

4. Define recovery measures and procedures

Define the appropriate measures and step-by-step procedures for disaster recovery based on the risks and business impact you identified. This includes identifying the individuals or disaster recovery team members responsible for recovery tasks, the resources required, and the order of recovery tasks.

As stated above, these recovery tasks may fall into the following categories:

  • Data backup and recovery
  • Redundant systems and infrastructure
  • Alternative worksites
  • Communication and notification

You may also want to outline specific disaster recovery procedures. These are the actions that should be taken during and immediately after a disaster strikes, and may include evacuation plans and communication protocols and coordination with emergency services.

5. Conduct testing and training regularly

Regularly test the disaster recovery plan to ensure its effectiveness and identify any potential gaps or weaknesses. Conduct training sessions for employees to familiarize them with their roles and responsibilities during a disaster.

6. Review and update the plan regularly

Review and update the disaster recovery plan periodically to incorporate changes in technology, business operations, and potential risks. Ensure that contact information, system configurations, and other relevant details are up to date.

Disaster recovery plan template

Use this template to kick off your disaster recovery planning and customize it based on your organization's specific risks and objectives.

Disaster recovery plan examples

Below you can find examples of disaster recovery strategies and procedures from disaster recovery plans created and maintained by universities and other organizations. This should help you in brainstorming and documenting your own recovery strategies and plans for different services, environments, and types of disasters. 

1. IT disaster recovery plan

Southern Oregon University has a comprehensive disaster recovery plan specifically for its IT services because they are so heavily relied upon by faculty, staff, and students. There are disaster recovery processes and procedures outlined for various IT services and infrastructure, including its data center, network infrastructure, enterprise systems, desktop hardware, client applications, classrooms, and labs. 

Some of the IT disaster recovery processes and procedures outlined in the plan are:

  • Secure facility as necessary to prevent personnel injury and further damage to IT systems and data management systems.
  • Coordinate hardware and software replacement with vendors
  • Verify operational ability of all equipment on-site in the affected area (servers, network equipment, ancillary equipment, etc.). If equipment is not operational, initiate actions to repair or replace as needed.
  • If the data center is not operational or recoverable, contact personnel responsible for the alternate data center and take necessary steps to ready the facility.
  • Retrieve most recent on-site or off-site back-up media for previous three back-ups. Prepare back-up media for transfer to primary or secondary datacenter, as determined during the initial assessment.

2. AWS disaster recovery plan

AWS walks through disaster recovery options in the cloud in this whitepaper. It explains four primary approaches to cloud disaster recovery:

  • Backup and restore: Backup the data, infrastructure, configuration, and application code of your primary Region and redeploy them in the recovery Region. This is the least costly and complex approach. 
  • Pilot light: Replicate your data from one Region to another and provision a copy of your core workload infrastructure so that you can quickly provision a full scale production environment by switching on and scaling out your application servers if a disaster occurs. This simplifies recovery at the time of a disaster and also minimizes the ongoing cost of disaster recovery by “switching off” some resources until they’re needed.
  • Warm standby: Create and maintain a scaled down, but fully functional, copy of your production environment in another Region. This decreases the time to recovery compared to the pilot light approach, but is more costly because it requires more active resources.  
  • Multi-site active/active: Run your workload simultaneously in multiple Regions so users are able to access your workload in any of the Regions in which it is deployed, which reduces your recovery time to near zero for most disasters. This is the most costly and complex approach. 

3. Data center disaster recovery plan

The University of Iowa also has a comprehensive disaster recovery plan, which includes several processes and procedures for recovering from a disaster that affects its data center. Some of these include: 

  • Have large tarps or plastic sheeting available in the data center ready to cover sensitive electronic equipment in case the building is damaged due to natural disasters like tornadoes, floods, and earthquakes.
  • If replacement equipment is required, make every attempt to replicate the current system configuration.
  • If data is lost, then request that the IT department recover it from an off-site backup or cloud deep archive storage.

How Secureframe can help your disaster recovery planning efforts

Secureframe’s automation compliance platform and in-house compliance expertise can help ensure your organization has the policies, controls, and expertise in place to protect entire systems proactively from business disaster and to recover if they do occur. Request a demo to learn how.


What are the 5 steps of disaster recovery planning?

The five steps of disaster recovery planning are prevention, mitigation, preparedness, emergency response, and recovery. That means when planning, you should identify measures and actions to:

  • avoid or prevent a disaster from occurring
  • reduce the chances of a disaster occurring or the impact of it
  • enhance your ability to respond in the event of a disaster
  • be carried out immediately before, during, and after disruptive events
  • restore your normal operations as quickly as possible

What are the 4 C's of disaster recovery?

The 4 C's of disaster recovery are communication, coordination, collaboration, and cooperation. Below are brief definitions of each:

  • Communication - developing and maintaining effective channels for sharing information before, during, and after disasters
  • Coordination - aligning actions to other parts of an organization or other organization to prepare for and respond to disasters
  • Cooperation - working with internal or external parties that share the same goal (ie. responding to and recovering from disasters) and strategies for achieving it
  • Collaboration - partnering with internal or external parties to identify challenges and responsibilities to recover from a disaster as quickly as possible

What are the three types of disaster recovery plans?

A disaster recovery or DR plan can be tailored to different services, environments, and types of disasters. So types of disaster recovery plans include ones for IT services, data centers, and cloud environments.

How do you create a good disaster recovery plan?

Creating a good disaster recovery plan requires a few key steps such as:

  • Performing a risk assessment and business impact analysis
  • Setting objectives, including data retention objectives, recovery time objectives (RTO) and recovery point objectives (RPO)
  • Creating an inventory of critical assets
  • Defining data backup procedures and recovery strategies
  • Establishing alternate communication methods
  • Assigning specific roles and responsibilities

What are the key elements of a disaster recovery plan?

Key elements of a disaster recovery plan are:

  • Objectives and goals
  • Recovery measures and procedures
  • Testing processes
  • A communication plan
  • Defined disaster recovery stages