https://community.isc2.org/t5/Tech-Talk/RACI-for-Disaster-Recovery-Plan/m-p/24263#M1440 <P>Does anyone have a RACI for Disaster Recovery? Who owns the process? COBIT 5 for Information Security defines the CISO/ISM as contributors. I know it depends to a great extent on the risk framework that has been implemented but who takes the responsibility of ensuring the plan works?</P> Wed, 26 Jun 2019 14:44:33 GMT bjonah 2019-06-26T14:44:33Z https://community.isc2.org/t5/Tech-Talk/RACI-for-Disaster-Recovery-Plan/m-p/24263#M1440 <P>Does anyone have a RACI for Disaster Recovery? Who owns the process? COBIT 5 for Information Security defines the CISO/ISM as contributors. I know it depends to a great extent on the risk framework that has been implemented but who takes the responsibility of ensuring the plan works?</P> Wed, 26 Jun 2019 14:44:33 GMT https://community.isc2.org/t5/Tech-Talk/RACI-for-Disaster-Recovery-Plan/m-p/24263#M1440 bjonah 2019-06-26T14:44:33Z https://community.isc2.org/t5/Tech-Talk/RACI-for-Disaster-Recovery-Plan/m-p/24293#M1441 <P>&nbsp;</P><BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1069625775">@bjonah</a>&nbsp;wrote:<BR /><P>Does anyone have a RACI for Disaster Recovery? Who owns the process? COBIT 5 for Information Security defines the CISO/ISM as contributors. I know it depends to a great extent on the risk framework that has been implemented but who takes the responsibility of ensuring the plan works?</P><HR /></BLOCKQUOTE><P>So difficult question to answer.&nbsp; It depends on a number of things:</P><P>&nbsp;</P><P>1) how large an organization</P><P>2) is the a BCP person</P><P>3) have you assigned DR Coordinators</P><P>&nbsp;</P><P>Typically Security would be contributors in their role as Security, however in an organization that places DR in the Security group (which I have seen), that person's role could be Responsible or Accountable.&nbsp;</P><P>&nbsp;</P><P>I have seen it both ways.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>d</P><P>&nbsp;</P> Thu, 27 Jun 2019 00:07:14 GMT https://community.isc2.org/t5/Tech-Talk/RACI-for-Disaster-Recovery-Plan/m-p/24293#M1441 dcontesti 2019-06-27T00:07:14Z https://community.isc2.org/t5/Tech-Talk/RACI-for-Disaster-Recovery-Plan/m-p/24300#M1442 <P>It depends on the scope of your BCP/DR plan and the strategy you've chosen to recover from an interruption.&nbsp; You really have to approach this top down rather than thinking immediately about a RACI matrix.</P><P>&nbsp;</P><P>I don't know where you are in the programme but I'd start with BIA of the business processes affected if there was an interruption and how long you could run a viable business with interrupted processes.&nbsp; Then look at what you have in place to reduce the impact of a disruption, for example, single site HA, fail-over to a backup site, systems in multiple cloud availability zones etc.&nbsp; Only once you've done this groundwork can you look at the operational plan and RACI for continuing to operate and recovering from an interruption.</P><P>&nbsp;</P><P>From an InfoSec perspective you simply need to ensure that the contingency measures used during the interruption does expose your organisation to further uneccessary risk.</P> Thu, 27 Jun 2019 07:47:46 GMT https://community.isc2.org/t5/Tech-Talk/RACI-for-Disaster-Recovery-Plan/m-p/24300#M1442 Steve-Wilme 2019-06-27T07:47:46Z https://community.isc2.org/t5/Tech-Talk/RACI-for-Disaster-Recovery-Plan/m-p/26505#M1645 <P>Thanks. It makes sense to have an assigned Coordinator at a senior level. In terms of the overall responsibility for its implementation, it should be the CRO/CEO and the board.</P> Wed, 07 Aug 2019 13:35:27 GMT https://community.isc2.org/t5/Tech-Talk/RACI-for-Disaster-Recovery-Plan/m-p/26505#M1645 bjonah 2019-08-07T13:35:27Z