Para 3.22.48 — MSO (Audit)

MSO (Audit)mso-audit

3.22.48 Disaster recovery plans should be documented, periodically tested and updated as necessary. Untested plans may be satisfactory on paper but may fail when put into practice. Testing will reveal deficiencies and allow amendments to be made. The importance of adequate documentation is increased where significant reliance is placed only on a few key members of the IT department. The loss of key personnel, perhaps due to the same reason the computers were disrupted, may adversely affect an organisation’s ability to resume operations within a reasonable timeframe.

What This Means

Disaster recovery plans must be written down, periodically tested, and updated whenever systems change. An untested plan may look good on paper but could fail when actually needed. Testing reveals weaknesses and allows corrections. Thorough documentation is especially critical when the organisation relies heavily on a few key IT personnel, because those same people might be unavailable during the disaster that disrupts the computers.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

1Disaster recovery plans must be documented in writing
2Plans must be periodically tested to reveal deficiencies
3Plans must be updated as systems and infrastructure change
4Untested plans may fail when put into practice during an actual disaster
5Documentation reduces dependency on key personnel who may be unavailable during a disaster

Practical Example

A Central Government ministry conducts an annual disaster recovery drill where they simulate a complete server room failure. During the last test, they discovered that the backup tapes were unreadable because the tape drive firmware had been upgraded but the backup software had not been updated accordingly. This deficiency was fixed immediately. They also documented step-by-step recovery procedures so that any trained IT staff member — not just the two senior administrators — could execute the recovery.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

How often should disaster recovery plans be tested?▼

Plans should be tested periodically — at least annually, or more frequently if there are significant changes to systems, infrastructure, or personnel. Each test should be documented, and identified deficiencies should be corrected promptly.

Why is the loss of key IT personnel a concern in disaster recovery?▼

If an organisation depends on a few key IT staff and the same event that disables the computers also makes those staff unavailable (injury, transport disruption, etc.), the organisation may be unable to recover. Detailed written procedures ensure others can step in.

What should be included in disaster recovery documentation?▼

Step-by-step recovery procedures, contact details of key personnel and vendors, hardware and software inventory, backup locations, priority systems for restoration, and communication plans for notifying stakeholders.

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Para 3.22.48 — MSO (Audit)

Original Rule Text

What This Means

Key Points

Practical Example

Frequently Asked Questions

Related Rules