Question DRPL-01
Describe or provide a reference to your Disaster Recovery Plan (DRP).
| Weight | 20 |
| High Risk | No |
| Required | No |
| Compliant Answer | Yes |
Standard Guidance
Provide a valid URL to your current DRP or submit it along with this fully populated HECVAT.
Answering "NO"
Describe any plans to implement a DRP.
Answering "YES"
Please attach or include a link.
Reason for Question
In the context of the CIA triad, this question is focused on availability and is often in need of a follow-up. Understanding the maturing of a vendor's DRP can shed light on many other aspects of a vendor's overall security state.
Follow-Up Inquiries
A vendor may have a number of BCP elements defined so the vendor's response may not be binary. Assess the components of the plan and ask about timelines, follow-up commitments, etc. If the vendor does not have a DRP, point them to https://www.sans.org/reading-room/whitepapers/recovery/disaster-recovery-plan-1164 (opens in a new tab)
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]