What should be a primary focus of an IS auditor reviewing a disaster recovery plan?

A primary focus of an IS auditor reviewing a disaster recovery plan should be the engagement of process owners. This is essential because process owners are responsible for the critical functions and operations of the organization. Their involvement ensures that the disaster recovery plan accurately reflects the needs and priorities of the business. They can provide insights into the specific requirements for recovery, including the criticality of applications, systems, and data, which helps ensure that recovery strategies are aligned with the business objectives.

Engaging process owners also facilitates the identification of key personnel, roles, and responsibilities during a disaster. This engagement allows for better communication and collaboration, ensuring that everyone understands their roles when a disaster occurs. Furthermore, their input can improve the overall effectiveness of the recovery plan, as they can validate that the plan aligns with operational needs and can provide practical insights that might not be captured otherwise.

Inclusion of business continuity training sessions, validation of recovery time objectives, and availability of an offsite storage strategy are indeed important elements of a disaster recovery plan. However, without the active involvement and engagement of process owners, these elements may not be effectively aligned with business priorities or adequately resourced, potentially compromising the plan’s effectiveness during an actual disaster.