Organizations around the world continue to adopt third party software solutions to support their critical business processes and workflows. As such, risk and vendor management functions are going deep when it comes to questioning how a system or service will remain online and available and continue normal business operations when a disruptive event occurs like a natural disaster or pandemic. Software vendors especially need to prove that they have thought through a business continuity strategy and have risk management policies in place to prevent data loss, service disruptions, and more when disaster strikes.

This due diligence most often takes place within a security questionnaire – a spreadsheet or online form filled with questions to the vendor on a variety of information security and cybersecurity topics. One of top topics that continues to increase in popularity within a security questionnaire just happens to be business continuity and disaster recovery.

Because these questions tend to come up again and again, it is good practice for information security and compliance teams to provide an overview of their policies in a BC/DR summary document. Others, who anticipate answering hundreds of these security questionnaires, will often keep question and answer pairs about this topic in their knowledge bank for reference when these topics come up. 

In the article below, we’ll explain why you should have a well-organized Business Continuity and Disaster Recovery (BC/DR) Summary document and what you should include in it. 

What are common BC/DR questions asked in a security questionnaire?

Common questions asked by customers to their vendors about business continuity and disaster recovery plans often include the following:

  1. What are your recovery time objectives (RTOs) for the in scope product/service offering?
  2. How do you maintain security controls during a BC/DR event?
  3. Who are the key stakeholders and decision makers who need to be involved in BC/DR processes?
  4. Are recovery plans designed to meet all relevant compliance objectives?
  5. What was the scope and results of your last recovery test exercise?
  6. How frequently are backups taken and where are they stored?
  7. Do you have backup for critical job functions and incident response tasks?
  8. Has your organization duplicated critical staff competencies to minimize the effect on operations if you lose primary staff?
  9. Where is the in scope system hosted and what geographical and environmental risks may be present there?
  10. How will your organization communicate with customers in the event of a service disruption?

Knowing that these types of questions come up often means that it would benefit you to give prospects the ability to find answers to these proactively during the sales cycle. A good place to start when providing business continuity information and details about your disaster recovery plans is with a BC/DR summary.

What is a BC/DR summary and why have one?

Our analysis of 400,000+ security questionnaire questions answered by our AI revealed that almost 10% of the most common questions that come up during the vendor due diligence process could be answered with a well organized Business Continuity and Disaster Recovery (BC/DR) Summary document.

Every organization ultimately has a different level of detail they are willing to share as it relates to how they keep their systems online and available to support customers. A BC/DR Summary document is a great way to centralize this. Hosting it in a gated trust center for your customers to access and/or for AI to access when answering security questionnaires is one way to automate sharing of this information.

Your business continuity and disaster recovery summary should include:

  • A brief overview of the service that your organization offers and the typical workflow you support
  • How your company is set up to maintain operations during a business disruption (Business Continuity) such as a pandemic or a severe weather event. Due to the COVID-19 pandemic, many organizations have needed to test and adjust how their Business Continuity plans are structured and operate.
  • How the software system you offer is architected to get back up and running and lose as little data as possible in the case of a system failure like a database corruption or cloud supplier failure. Again, supplying information around what is your business continuity plan in case of a failure.
  • How frequently your company updates and tests these documents/plans, oftentimes including dates and summarized results of recent exercises.
  • The specific Recovery Point Objective (RPO) you system can meet (often driven by how frequently critical data is backed up). RPO specifically considers how much data would be lost if a system were to fail.
  • The specific Recovery Time Objective (RTO) your system can meet. This metric looks at how long it would take to restore the system from a backup if there were a failure. This can often be dependent on upstream commitments from hosting providers, as well as the expertise of your internal team.
  • Any specific Service Level Agreements (SLAs) that might be in place for availability. Remember, the O in RPO/RTO stands for “objective” and may not be a contractual agreement.

Why have a BC/DR summary?

There are a few reasons to spend time organizing your BC/DR summary to include answers to commonly asked questions.

  1. To have a documented policy to reference. Use this document as you would an information security whitepaper or other summary compliance documents about your security posture. 
  2. To share with customers in a trust center. If you include this document in your trust center behind a gated NDA, customers can download it themselves and find answers to their questions which may prevent them from sending you a questionnaire.
  3. To use as source material for automating answers to security questionnaires. If you use software to generate security questionnaire responses for you, using a BC/DR summary as a source document for AI software to learn from is important because most security questionnaires contain several questions on this topic alone. If you aren't using software, it is still a great reference for your internal teams to use when completing a security questionnaire.

Next steps: Use our template to proactively get ahead of customer questions

Because we help hundreds of companies build trust with each other through answering security questionnaires, we know what questions are most commonly asked.

As a next step, consider downloading the Conveyor Business Continuity and Disaster Recovery (BC/DR) Summary Template that has placeholders for some of the most commonly asked questions. If you fill this template out and give your customers and prospects access to it, chances are you may dodge getting sent some security questionnaires.

And when you do need to fill one in, using the BC/DR summary as an input to your question answering workflow could help automate answering a large chuck of the questions. When using the template, feel free to add additional content that you think may be relevant to your customers and other interested parties.


Download Conveyor's Business Continuity and Disaster Recovery Summary Template