Skip to main content

Business continuity and disaster recovery

Questions 92 to 99 — see if the plans for business continuity and disaster recovery meet your requirements — check both your organisation and the service provider.

Questions 92 to 99 — business continuity and disaster recovery

Table 1 lists who is responsible for answering each question. Both your government organisation and the service provider need to answer question 99.

Context and help for questions 92 to 99

Record your answers to these questions in either:

Questions to answer

  1. Does the service provider have business continuity and disaster recovery plans?
  2. Will the service provider allow your government organisation to review its business continuity and disaster recovery plans?
  3. Do the service provider’s plans cover the recovery of information or only the restoration of the service?
  4. If the service provider’s plans cover the restoration of information, is the recovery of customer data prioritised?
    1. If yes — how? In other words, are customers prioritised based on size and contract value?
  5. Does the service provider formally test its business continuity and disaster recovery plans on a regular basis?
    1. If yes — how regularly are such tests performed?
    2. Will they provide customers with a copy of the associated reports?
  6. Does your government organisation have its own business continuity and disaster recovery plan in place to ensure that it can recover from the service provider:
    • having a service outage
    • going out of business
    • withdrawing the service?
  7. Does your government organisation require its own data backup strategy to ensure that it can recover from the service provider:
    • having a service outage
    • going out of business
    • withdrawing the service?
  8. Are the backups, whether performed by the service provider or government organisation, encrypted using an:
    • approved encryption algorithm
    • appropriate key length?

Table 1: Who answers each question

Entity Questions to answer
Government organisation 97, 98, 99
Service provider 92, 93, 94, 95, 95a, 96, 96a, 96b, 99

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 92 to 99

The following guidance gives you context and help for answering questions about business continuity and disaster recovery.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

Check the service provider’s plans

See if the service provider has plans in place that meet the levels you require for:

  • business continuity
  • disaster recovery.

Check your organisation’s plans

Government organisations must also have plans in place for business continuity and disaster recovery. They should be tested regularly to make sure your organisation can keep offering its services during an outage.

Backup plan — data

Government organisations must meet their obligations under NZ legislation, which requires them to backup their data to keep its integrity.

Integrity of the information

Backup plan — public cloud service

Another reason for backing up data is so you can switch the public cloud service your government organisation is using. This can happen because:

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated