|Completed By :
City, State, Zip:_______________________________________
Business Recovery Plan for :____________________________
Business Recovery Plan LEVEL 1 (Executive Awareness/Authority)
1) Has a Business Recovery Plan been:
b) Updated within the last 6 months?
Business Recovery Plan LEVEL 2 (Plan Development and Documentation)
1) Has a classification (critical, important, marginal) been assigned to the Business Process/Function/ Component that this
2) Has a Business Recovery Plan been:
3) Does the Business Recovery Plan include the following sections:
b) Incident Management?
i) Responsible company officer?
ii) Personnel responsible for updates?
f) Plan Exercise?
g) Plan Maintenance?
h) Business Recovery Teams and Contact Information?
4) Does the Business Recovery Plan identify hardware and software critical to recover the Business and/or Functions?
5) Does the Business Recovery Plan identify necessary support equipment (forms, spare parts, office equipment, etc.) to
recover the Business and/or Functions?
6) Does the Business Recovery Plan require an alternate site for recovery?
i) Does the Business Recovery Plan provide for mail service to be forwarded to the alternate facility?
ii) Does the Business Recovery Plan provide for other vital support functions?
7) Are all critical or important data required to support the business being backed up?
i) Are they being stored in a protected location (offsite)?
8) Do you conduct a walk-through exercise of your Plan at least annually? (This should include a full walk-through as well as
"elements" of your plan (i.e. Accounts payable, receivable, shipping and receiving, etc.)
9) Does the walk-through element exercises have a prepared plan which includes:
10) Is a current copy of the Business Recovery Plan maintained off-site?
11) Do all users of the Business Recovery Plan have ready access to a current copy at all times?
12) Is there an audit trail of the changes made to the Business Recovery Plan?
13) Do all employees responsible for the execution of the BDRP receive ongoing training in Disaster Recovery and Emergency
LEVEL 3 (Management & Recovery Team Assessment and Evaluation For Effectiveness)
1) Has the business officer and management team approved the Business Recovery Plan?
2) Does the business owner maintain:
a) The master copy of the Business Recovery Plan?
b) An audit trail of the changes made to a Business Recovery Plan?
3) Do all aspects of physical and logical security at the alternate site conform with your current security procedures?
4) Are the physical and logical security at the alternate site at least as stringent as the security at the disaster location?
5) Have all employees and their alternates responsible for executing a manual work-around for a mechanized process been
identified in the Business Recovery Plan and properly trained?
6) Has an independent observer documented the simulation exercise(s) noting all results, discrepancies, exposures, action items
and individual responsible, etc.?
7) Was a debriefing held within a reasonable period of time (typically two weeks) after the simulation exercise(s) to ensure all
activities have been accurately recorded?
8) Did the exercise coordinator publish a simulation exercise(s) report within a reasonable period of time (typically three weeks)
after the completion of the simulation exercise(s)?
9) Did the exercise report include?
a) what worked properly as well as any deficiencies and recommendations for improvement?
b) Responsibility and due date for the development of the Corrective Action Plan?
10) Was a Corrective Action Plan developed by the Exercise Team to address any deficiencies identified by the exercise?
11) Is there a retention plan for the Exercise Plans and Corrective Action Plans (minimum retention 3 years)?
12) Has a walk-through element exercise been performed at least quarterly?
13) Did each walk-through element exercise have a prepared plan which includes?
14) When there is a change in hardware, software, or a process that might impact the Business Recovery Plan, is the Business
Recovery Plan reviewed and updated within 30 days of the changes:
Sign-Off By Officer:
15) Based on the Joint Assessment has the Team determined that the Business Recovery Plan is effective?
Business Recover Plan (Business Recovery Plan) -- LEVEL 4 (Certification)
(Management & Recovery Team Assessment of Readiness and Plan Maintenance)
1) Has the component Business Recovery Plan been approved by the owner(s) of the Business Function(s)?
2) Has the entire Business Recovery Plan simulation exercise been performed at least annually?
3) Has the Corrective Action Plan been completed and closed?
4) Did the Business Recovery Plan simulation exercise have a prepared plan which includes:
5) Did the component Business Recovery Plan simulation exercise meet the acceptable Recovery Time Objective set by
6) Based on the Joint Assessment has the Team determined that the Business Recovery Plan and Exercises have met all
requirements to provide reasonable assurance that the plan will work in the event of a disaster?
7) Does the Business Recovery Plan specify the maximum acceptable Recovery Time Objective (RTO)?
8) Does the Business Recovery Plan specify the level of service (which the business owner has agreed to be acceptable) to be
provided while in recovery mode?
9) Have all changes relating to RTO in the Business Recovery Plan been approved by the process owner?
|From FEMA's Standard Checklist Criteria For Business Recovery