This article provides additional information on how you can meet the requirement for the CAF control – B5.a Resilience Preparation.
Business Continuity and Disaster Recovery Planning
- We maintain a documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) that outline how systems and services required to deliver managed services will be restored following disruption.
- These plans should be stored and maintained in Adoptech, and reviewed at least annually or after significant changes.
Testing Preparedness
- Resilience preparations should include regular testing to ensure plans are practical and effective. Testing may include:
-
Tabletop exercises simulating plausible incident scenarios
-
Technical failover tests for critical systems
-
Backup restoration tests using tools such as Veeam, Datto, Acronis or Microsoft Azure Backup
-
- After each exercise:
-
Outcomes, lessons learned and required improvements should be documented
-
Test reports should be uploaded into SharePoint or Adoptech
-
Backup Resilience
-
Segregated and secured backups should be maintained to ensure recoverability even in the event of ransomware or system compromise.
-
Typical backup systems may include Veeam, Datto, Acronis, Arcserve, Azure Backup, or hypervisor/cloud snapshot services.
Threat Awareness
-
Threat intelligence feeds, such as NCSC Early Warning, should be monitored to stay prepared for emerging risks (e.g., mass ransomware campaigns).
Restoring Essential Services
- A combination of documented plans, routine testing, resilient backups and active threat awareness helps ensure that essential services can be restored quickly and effectively following an adverse event.