When implementing DRPs, several best practices can be implemented. Following is a list of many of these best practices:

• Ensuring BIAs have been completed—BIAs identify CBFs, which are used to identify the critical business operations and critical servers and services.
• Starting with a clear purpose and scope—The purpose and scope statements help ensure the DRP stays focused. Resources are wasted when steps and procedures are taken that are outside the scope of the DRP.
• Reviewing and updating the DRP regularly—The DRP should be reviewed at least annually. If critical systems covered by the DRP are changed, the DRP should be reviewed to determine whether the changes affect it.
• Testing the DRP—Testing ensures that the DRP can be implemented as expected. While testing the DRP, normal operations should not be affected.

Employing a checklist is often worthwhile to ensure that all the relevant concerns have been addressed. The following checklist can be used before, during, and after the creation of a DRP to identify the company’s preparedness:

• Is the organization’s BIA up to date? If the BIA is more than one year old, it must be updated first.
• Have any systems covered by the BIA changed since the BIA was completed? If so, the BIA needs to be revised.
• Are critical business functions defined? Is it clear what systems need to be recovered first?
• Does the DRP specify the level of service to provide for the CBFs? In other words, if the business must continue to operate during a disaster, does the DRP identify which services need to be restored?
• Are specific responsibilities assigned? Do departments or individuals know what is expected of them at different times during an emergency?
• Is it clear what hardware, software, and data should be recovered? Does the DRP include any necessary support equipment needed to support the CBFs?
• Does the DRP include a backup plan? Does this backup plan include a testing element for test restores? Does the DRP include steps to use for data restores?
• Are backups stored off-site? Are the off-site backups easily accessible if a disaster occurs?
• Is there a communication plan? Does it have alternate methods of communication?
• Are alternate sites required? What type of alternate site is desired? Does the budget allow for the desired site?
• Are facility needs considered? This category includes UPSs, backup power, and heating and air-conditioning systems.
• Have support services been addressed? For example, if backup generators will be needed, is enough fuel on hand to support the organization during the disaster? Is there enough food and water to support on-site personnel during the disaster?
• Are personnel trained on the DRP? Do they know what their responsibilities are before, during, and after a disaster?
• Has the DRP been tested? Have the procedures been tested to verify that they work as expected?
• Is the DRP reviewed at least annually? Is it updated as needed when elements within it are affected?
• Are changes to the DRP tracked?