https://community.isc2.org/t5/Governance-Risk-Compliance/Disaster-Recovery-Policy/m-p/49404#M594 <P>You can certainly go this route, as I'm sure people have created specific DR policies on this forum but this is typically covered in a Contingency Planning Policy, which encompasses BC and DR plans. Along with many other types of plans, e.g.,&nbsp;Cybersecurity Incident Response Plans, Crisis Communications Plans, etc.&nbsp;</P><P>&nbsp;</P><P><A href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf" target="_blank" rel="noopener">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf</A>&nbsp;</P><P><A href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf" target="_blank">NIST 800-34, Rev 1 Contingency Planning Guide for Federal Information Systems</A></P><P>&nbsp;</P><P>Tagging&nbsp;<a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1602421967">@CISOScott</a>&nbsp;because he has extensive experience in Government work. Some things to include if I were to create a specific DR policy in no particular order:</P><P>&nbsp;</P><UL><LI>Purpose</LI><LI>Scope</LI><LI>Roles and responsibilities</LI><LI>Specific disasters that will be included in the DRP&nbsp;</LI><LI>Defining recovery time objectives (Or at least say it's going to be included in the DR plan)&nbsp;</LI><LI>BIA requirements</LI><LI>Communication plan or point to one that's already created</LI></UL><P>There's more but others can chime in with their thoughts.&nbsp;&nbsp;</P> Fri, 28 Jan 2022 21:04:59 GMT tmekelburg1 2022-01-28T21:04:59Z https://community.isc2.org/t5/Governance-Risk-Compliance/Disaster-Recovery-Policy/m-p/49403#M593 <P>Hi Everyone!</P><P>&nbsp;</P><P>I'm looking at creating my first policy and putting some of my CISSP to use in the form of a disaster recovery policy for the local authority I work for. <A href="mailto:I@m" target="_blank">I'm</A>&nbsp;wondering if there are any good resources to use and examples of these? I'm trying to make sure that this stays a policy and doesn't become a plan as this needs to be the broad direction that the organisation takes not any step by step.</P><P>&nbsp;</P><P>Appreciate any pointers or resources that will help.</P><P><BR />Rob</P> Fri, 28 Jan 2022 18:33:15 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Disaster-Recovery-Policy/m-p/49403#M593 Rob243 2022-01-28T18:33:15Z https://community.isc2.org/t5/Governance-Risk-Compliance/Disaster-Recovery-Policy/m-p/49404#M594 <P>You can certainly go this route, as I'm sure people have created specific DR policies on this forum but this is typically covered in a Contingency Planning Policy, which encompasses BC and DR plans. Along with many other types of plans, e.g.,&nbsp;Cybersecurity Incident Response Plans, Crisis Communications Plans, etc.&nbsp;</P><P>&nbsp;</P><P><A href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf" target="_blank" rel="noopener">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf</A>&nbsp;</P><P><A href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf" target="_blank">NIST 800-34, Rev 1 Contingency Planning Guide for Federal Information Systems</A></P><P>&nbsp;</P><P>Tagging&nbsp;<a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1602421967">@CISOScott</a>&nbsp;because he has extensive experience in Government work. Some things to include if I were to create a specific DR policy in no particular order:</P><P>&nbsp;</P><UL><LI>Purpose</LI><LI>Scope</LI><LI>Roles and responsibilities</LI><LI>Specific disasters that will be included in the DRP&nbsp;</LI><LI>Defining recovery time objectives (Or at least say it's going to be included in the DR plan)&nbsp;</LI><LI>BIA requirements</LI><LI>Communication plan or point to one that's already created</LI></UL><P>There's more but others can chime in with their thoughts.&nbsp;&nbsp;</P> Fri, 28 Jan 2022 21:04:59 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Disaster-Recovery-Policy/m-p/49404#M594 tmekelburg1 2022-01-28T21:04:59Z https://community.isc2.org/t5/Governance-Risk-Compliance/Disaster-Recovery-Policy/m-p/49428#M595 That sounds like a good place to start really appreciate it! There is already a BC policy in place but it only covers the business side of a situation and what IT is required and due to a data center cloud migration its no longer fit for purpose. I'm trying to create a policy that sits with IT so it can be updated and underpin a specific IT DR plan so when a system or DR event happens the policy states the direction the business is taking and the IT DR plan can be kept upto date with moving technologies and systems so the IT department has a play book for most eventualities.<BR /><BR />Hope that makes sense Sun, 30 Jan 2022 13:28:02 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Disaster-Recovery-Policy/m-p/49428#M595 Rob243 2022-01-30T13:28:02Z