Business continuity and disaster recovery
Questions 92 to 99 — see if the plans for business continuity and disaster recovery meet your requirements — check both your organisation and the service provider.
Questions 92 to 99 — business continuity and disaster recovery
Table 1 lists who is responsible for answering each question. Both your government organisation and the service provider need to answer question 99.
Context and help for questions 92 to 99
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Does the service provider have business continuity and disaster recovery plans?
- Will the service provider allow your government organisation to review its business continuity and disaster recovery plans?
- Do the service provider’s plans cover the recovery of information or only the restoration of the service?
- If the service provider’s plans cover the restoration of information, is the recovery of customer data prioritised?
- If yes — how? In other words, are customers prioritised based on size and contract value?
- Does the service provider formally test its business continuity and disaster recovery plans on a regular basis?
- If yes — how regularly are such tests performed?
- Will they provide customers with a copy of the associated reports?
- Does your government organisation have its own business continuity and disaster recovery plan in place to ensure that it can recover from the service provider:
- having a service outage
- going out of business
- withdrawing the service?
- Does your government organisation require its own data backup strategy to ensure that it can recover from the service provider:
- having a service outage
- going out of business
- withdrawing the service?
- Are the backups, whether performed by the service provider or government organisation, encrypted using an:
- approved encryption algorithm
- appropriate key length?
| Entity | Questions to answer |
|---|---|
| Government organisation | 97, 98, 99 |
| Service provider | 92, 93, 94, 95, 95a, 96, 96a, 96b, 99 |
Where to find the service provider’s answers
You can get the answers to the service provider’s questions from a combination of:
- direct communication with the provider
- the provider’s policies and audit reports on their website
- previous assessments by other government organisations.
If you do not have the service provider’s answers
If you need higher assurance for the information, consider a different public cloud service if:
- the provider does not give you their answers or other information you need for your risk assessment
- you cannot get acceptable third-party assurance
- there are no ways to lessen the risk of this incomplete information.
Independent assurance reports — New Zealand Information Security Manual
Context and help for questions 92 to 99
The following guidance gives you context and help for answering questions about business continuity and disaster recovery.
Check the service provider’s plans
See if the service provider has plans in place that meet the levels you require for:
- business continuity
- disaster recovery.
Check your organisation’s plans
Government organisations must also have plans in place for business continuity and disaster recovery. They should be tested regularly to make sure your organisation can keep offering its services during an outage.
Backup plan — data
Government organisations must meet their obligations under NZ legislation, which requires them to backup their data to keep its integrity.
Backup plan — public cloud service
Another reason for backing up data is so you can switch the public cloud service your government organisation is using. This can happen because:
- you’ve found a better option — one of the benefits of public cloud services
- the provider has either stopped trading or is withdrawing the service.
Utility links and page information
Last updated
