i. Each key business system must have a documented DRP to provide guidance when hardware, software, or networks become critically dysfunctional or cease to function (short and long term outages).
i. Each DRP must include an explanation of the magnitude of information or system unavailability in the event of an outage and the process that would be implemented to continue business operations during the outage. Where feasible, the DRP must consider the use of alternative, off-site computer operations (cold, warm, hot sites).
i. Each plan must be reviewed against the organization’s strategy, objectives, culture, and ethics, as well as policy, legal, statutory and regulatory requirements.
i. Each DRP must include:
1. An emergency mode operations plan for continuing operations in the event of temporary hardware, software, or network outages.
1. A recovery plan for returning business functions and services to normal on-site operations.
1. Procedures for periodic testing, review, and revisions of the DRP for all affected business systems, as a group and/or individually.