Int. J. Business Continuity and Risk Management, Vol. 12, No.

1, 2022 1

A framework for IS/IT disaster recovery planning

Rafi Ashrafi*
Information Systems Department,
College of Economics and Political Science,
Sultan Qaboos University,
P.O. Box 20, PC 123, Muscat, Oman
Email: rafi@squ.edu.om
Email: Rafi.ashrafi@gmail.com
*Corresponding author

Haitham AlKindi
Muscat Clearing and Depository,
P.O. Box 952, PC 112, Ruwi,
Muscat, Oman
Email: hah9111@gmail.com

Abstract: As organisations increasingly rely on data, information, and

technology, they are exposed to various disasters such as power outages,
natural disasters, fraud, terrorist attacks and viruses. These disasters may cause
disruption to the organisation’s services and may have an impact on business
(Karim, 2011). As a result, information systems/(IS)/information technology
(IT) disaster recovery planning (DRP) has received considerable attention
among the practitioners and researchers during the past two decades (Lewis
et al., 2003; Nelson 2006). Literature shows that there is a lack of suitable
frameworks for IT DRP (Baham et al., 2017). To fill this gap, this study
identifies a set of 10 critical success factors (CSFs) from previous research,
defines the effectiveness of IT DRP, and proposes a framework for IS/IT DRP.
The framework establishes a relationship between CSFs and DRP
effectiveness. This study will help organisations in adopting a suitable
framework and improving their disaster recovery efforts in order to be more
effective in dealing with IS/IT disasters.

Keywords: information technology; information systems; disaster recovery

planning; DRP; framework; critical success factors; CSFs.

Reference to this paper should be made as follows: Ashrafi, R. and AlKindi, H.

(2022) ‘A framework for IS/IT disaster recovery planning’, Int. J. Business
Continuity and Risk Management, Vol. 12, No. 1, pp.1–21.

Biographical notes: Rafi Ashrafi is an Associate Professor in Information

Systems Department at the College of Economics and Political Science, Sultan
Qaboos University, Oman. He has over 30 years of teaching, research and
consulting experience in academia and industry in the Middle East and Canada.
He has worked as a project manager, program manager and consultant in IT
project management in Canada. He was also a researcher and an Adjunct
Professor at the University of Calgary, where he taught graduate courses in the
Haskyn School of Business and Schulich School of Engineering. He has

Copyright © 2022 Inderscience Enterprises Ltd.

2 R. Ashrafi and H. AlKindi

published over 50 research papers in international journals and conference

proceedings. His research interests include project management, quality
assurance, strategic value of IT, ICT adoption in SMEs, IT audit, and IT
disaster recovery and business continuity.

Haitham AlKindi received his BSc and MSc in Information Systems from
Sultan Qaboos University, Oman. Currently, he is working as the Deputy IT
Manager at Muscat Clearing and Depository, leading a number of IT projects.
As an IT professional, he is passionate in adapting and practicing standards and
frameworks such as ITIL, COBIT5, ISO 27000 series and NIST Cybersecurity
Framework.

1 Introduction

As organisations increasingly rely on data, information, and technology, they are exposed
to various risks that may cause disruption to some or all of their operations (Barbara,
2006). Due to the impact of risk events that have happened within the past few years in
the economic, political and technological environments of organisations, they have now
realised the importance of IT business continuity (BC) and disaster recovery (DR)
(Nelson, 2006). Organisations and enterprises can no longer afford the havoc and chaos
that occur when they are hit by a disaster (Chow and Ha, 2009). Therefore, it is
imperative for organisations to protect their data, information, and technology, the most
important assets of an organisation in the digital age of today. As a result, IT DRP has
become a top concern for IT executives (Kappleman et al., 2013), and many
organisations have made DR as one of their major priorities (Lewis et al., 2003).
Table 1 List of acronyms used in the study

BC Business continuity
BCM Business continuity management
BCP Business continuity plan
BIA Business impact analysis
CEO Chief executive officer
CIO Chief information officer
CSF Critical success factor
DR Disaster recovery
DRP Disaster recovery planning/plan
IS Information systems
IT Information technology
MADT Maximum allowable downtime
MTPD Maximum tolerable period of disruption
RPO Recovery point objective
RTO Recovery time objective
SOX Sarbanes-Oxley act
TOE Technology, organisation and environment
 A framework for IS/IT disaster recovery planning 3

The main purpose of IT disaster recovery planning (DRP) is to make sure that when a
disaster occurs, all IT systems and functions, and especially all critical functions, are back
in operation with the most critical data restored within a reasonable time. Since most
organisations rely on data, technology, and information, they spend a huge amount of
money to protect these assets. Organisations have become aware of the risks of losing
their valuable assets, and have therefore realised the importance of having a DR Plan in
place (Statewide Disaster Recovery Planning for Information Technology Systems,
2010). A global benchmark survey conducted by The State of Global Disaster Recovery
Preparedness (2014) showed that 73% of companies worldwide do not have a DR
strategy and have not taken adequate steps to protect their IT systems and data. Studies
have shown that corporations with a BC/DR plan in place before the September 11th,
2001 attacks in the USA recovered more efficiently and faster than those that did not
(Castillo, 2004; Barbara, 2006). A number of studies reported on the importance and need
of IT DR planning (El‐Temtamy et al., 2016; Haji, 2016; Yang et al., 2015; Cook, 2015;
Nair, 2014; Costello, 2012; Karim, 2011; Lewis et al., 2003; Perna, 2014). This study
builds on the previous research and focuses on developing a framework for IT DRP.
Table 1 provide list of acronyms used in this study.

1.1 Problem statement

Many managers consider business continuity and DRP to be synonymous, while many
others relegate DR planning to information technology or information systems (Nelson,
2006). Many organisations that implement BC usually integrate DR Planning as a part of
the business continuity (Pinta, 2011). According to some researchers, DR is much wider
in scope, and some consider it as a subset of BC. DR Planning is defined as the
procedures and instructions an organisation should follow after a natural or a man‐made
disaster occurs in order to ensure the stability and continuity of business operations and
functions (Karim, 2011). Blokdijk (2008) considered DR planning to be a strategic plan
whose job is to recuperate access to the important information and data after the event of
disaster.
However, the literature shows that there is lack of a framework on effective DR
Planning (Baham et al., 2017). This study addresses this to fill the gap.
A survey of The State of Global Disaster Recovery Preparedness (2014) found that
73% of global companies worldwide failed to test DR planning, 36% of incidences were
the result of a loss of critical application, and 25% had lost most of their entire datacenter
site for hours or even days. Moreover, 20% of the respondents reported losses from more
than $50,000 to over $5 million. From the above literature, it is clear that many
organisations lack effective DR Planning for many reasons, even though they have
incorporated it into their systems.
This study will help organisations in identifying the factors that have the greatest
impact on the effectiveness of DR Planning and will help organisations focus on these
factors, which will enable organisations to effectively recover their most critical assets in
data, information, and systems.
This study aims to investigate the effectiveness of DR. Therefore, the following
research questions are investigated:
1 What are the most important CSFs for DR Planning?
2 What can be done to improve the effectiveness of DR Planning process?
4 R. Ashrafi and H. AlKindi

Thus, in order to answer the above questions, the following objectives are set:
1 To identify a set of CSFs from literature for DR planning.
2 To develop a framework for effective DR planning.
This study contributes to the knowledge area of DR Planning by conducting a
comprehensive review of literature on CSFs in IT DR Planning. Via the literature review,
this study selects 10 critical success factors (CSFs) based on the criteria of being reported
by three or more research studies. The study also develops a framework for IT DRP
based on the Technology, Organization and Environment (TOE) framework (DePietro
et al., 1990). Furthermore, the study defines the effectiveness of DRP, develops
measurements for effectiveness, and finally proposes a model to investigate the
cause‐effect relationship between CSFs and their effectiveness. This study will help
organisations in improving their DRP by focusing on the identified CSFs.
The first section of this paper provides a background on IT DR Planning and its
importance. The second section provides a literature review on IT DR Planning with the
view to identify the most important CSFs for DRP. The third section develops a
conceptual framework for DR Planning, and defines ‘effectiveness’ for DR Planning. The
final section contains the conclusion and the recommendations along with the limitations
of the study and suggestions for future research.

2 Literature review

First we define relevant terms, and then we review the literature.

A disaster is defined as an unexpected event which has the capacity for disruption of
a business, corporation, or government. A disaster can happen at any time in any
organisation.
IT disruptions in the healthcare industry cost 1.6 billion US dollars each year (Perna,
2014). In the literature, the terms business continuity, business recovery, DR, IT DR,
emergency management, and crisis management are used interchangeably, whereas in the
view of some authors they are different. IT DR Planning is concerned with the recovery
of systems and infrastructure components. Business continuity has a larger scope through
the determination of which business components and functions need to be recovered and
when they need, to be recovered by, including those that can be ignored for a period of
time (Hiller et al., 2015). Business continuity planning (BCP) aims to develop
appropriate plans pre‐disaster in order to resume key business operations to a minimum
acceptable pre‐defined level (Sahebjamnia et al., 2015). On the other hand, DRP strives
to ensure the full recovery of all disrupted operations to their normal business state
post‐disaster.

Definition of DR/DR planning

DR planning is considered to be a subset of business continuity management (BCM) in
which business functions and operations must be relocated to where all related back‐up
facilities for systems exist (Hoong and Marthandan, 2014). Karim (2011) described DRP
as a subset theme of business continuity which focuses more on information, and is
defined as the procedures and instructions an organisation should follow after a natural or
 A framework for IS/IT disaster recovery planning 5

man‐made disaster in order to ensure the stability and continuity of business operations
and functions. DRP establishes how an organisation will bring back its IT systems and
services once they have been interrupted (Omar et al., 2011).
In this paper, we define IT DR Planning as a process that focuses on a few of the
most important factors, called CSFs, so that an organisation can recover from a disaster
and is able to restore its most critical functions and data within a reasonable time.

Definition of CSFs
Rockart (1979) defines CSFs as those few key areas of activity in which favourable
results are absolutely necessary for a particular manager to reach his or her goals.
Barbara (2006) defined CSFs as performance measures which must be achieved
satisfactorily and paid attention to, in order to ensure a successful and competitive
performance by the organisation. Wali et al. (2003) define CSFs as essential areas which
must perform well to meet the objectives and goals of the organisation.
In our view, CSFs are the few most important factors that an organisation must focus
on in order to achieve its objectives.

Definition of RTO and RPO

A number of studies in DRP literature emphasise that the effectiveness of a DR Plan can
be measured through recovery time objective (RTO) and recovery point objective (RPO)
metrics.
RTO is defined as the acceptable period of time in which an organisation can recover
a service or process (Gibb and Buchanan, 2006). The State of Global Disaster Recovery
Preparedness (2014) defines RTO as the speed with which one organisation can recover
its critical functions. In this study we have adopted Gibb and Buchanan (2006) definition
of RTO.
RPO refers to a point in time by which data, processes, and records must be restored
in order to ensure that critical business processes are fully functional (Barbara, 2006). We
have adopted definition of Barbara (2006) for RPO.
Usually both RTO and RPO are referred to as the maximum allowable downtime
(MADT), or sometimes the maximum tolerable period of disruption (MTPD)
(BCMpedia, n.d; Barbara, 2006). One classification method to define the ‘MADT’ is by
the criticality of the system, as defined in Table 2.
Table 2 Maximum allowable downtime classification

Time without system operations Level of criticality

Within 24 hours Highly critical
Between 1 to 5 working days Critical
More than 5 working days Less critical
Source: Barbara (2006, p.34)
In order to facilitate an efficient recovery and to clarify the roles and responsibilities of
various organisational units, we have developed a model based on TOE (DePietro
et al., 1990) that categorises the identified CSFs into three categories: technology,
organisation (further divided into management and operations), and environment (details
provide in Section 3).
6 R. Ashrafi and H. AlKindi

In the next section we review the selected literature on DR Planning CSFs.

Literature review
DRP has become a priority for organisations. Lack of DR Planning may lead to loss of
reputation and market share, decreased customer service and business process failure,
regulatory liability and increased resuming and restoring times (Sahebjamnia et al.,
2015). The main objective of DR Planning is to protect enterprise information technology
resources and as well as business functions through reducing the impact of disaster. This
is done by following and executing proper recovery procedures (Omar et al., 2011).
Several studies have reported on DR Planning CSFs. However, some of these studies
have used non‐business entities such as libraries, museums, academic computing centres,
academic institutions, healthcare, and telecommunications regulatory agencies which
make it difficult to generalise the conclusions of these studies in a business environment
(El‐Temtamy et al., 2016). There are also very few studies that report empirical evidence
in support of the effectiveness of the DR Planning CSFs, and they lack of implementation
models for BCM/DRP. Further research is needed to guide the proper selection of the
CSFs, to have a framework to guide its implementation from an organisational
perspective, and to assess the effectiveness of these CSFs and framework.
Chow (2000) surveyed the literature and identified 17 success factors for DRP based
on a survey of 98 respondents from banking, manufacturing, trading, and hotel industry
sectors in Hong Kong. However, their study did not develop or suggest a framework.
Later, in a follow‐up study, Chow and Ha (2009) identified 14 DRP CSFs for IS
functions. A list of their success factors is mentioned in Table 3.
Barbara (2006) examined whether the ranking of CSFs for implementing BC/DR
programs has changed from previous research, specifically after the events of
September 11, 2001. Barbara (2006) used a multi‐method approach, a qualitative analysis
of 11 interviews and quantitative analysis of 52 respondents through a survey in Canada.
Their study used the 17 CSFs found by Chow (2000), and added three themselves.
Finally, they ranked the top five CSFs and compared them with Chow’s (2000) top five
CSFs. Barbara (2006) reported two sets of top 5 CSFs, one based on interviews, and
another one based on the survey. Three factors were common in both sets: business
impact analysis (BIA), maintenance of BCP/DRP, and periodical testing of BCP/DRP.
Training of recovery personnel and engagement of external consultants were included in
the interview top 5 CSFs, and top management support and alignment of BC/DR
objectives with company goals were included in the top 5 survey CSFs. Their results
show that the top five ranked CSFs have changed since Chow’s study.
Hoong and Marthandan (2011) reviewed literature on DRP and BCM, identified
factors, and developed a framework for DRP and BCM implementation. In another paper,
Hoong and Marthandan (2014) reported critical dimensions of DRP that impact DRP
procedures, and contribute to a successful DRP to minimise the impacts of IT service
outages. Their study used TOE (DePietro et al., 1990) to explore the adoption of DRP
processes on the financial Industry in Malaysia. They identified 8 critical dimensions:
external pressures to adopt DRP; top management support; staff competency; business
environment; roles and responsibilities; perceived BC benefits; technology competence;
and IT availability and reliability.
 A framework for IS/IT disaster recovery planning 7

Table 3 List of CFS identified through literature review

Authors DRP CSFs

1 Chow (2000) Top management commitment, adequate financial support, alignment of
DRP goals with company objectives, adoption of project management,
presence of a formal recovery planning committee, participation of
representatives from each department, engagement of external
consultants, risk assessment and impact analysis, determination of
maximum IS allowable downtime, prioritization of IS applications,
off-site storage of backup, presence of emergency response procedures,
training of recovery personnel, appropriate backup site, periodical testing
of DRP, maintenance of DRP, insurance coverage of IS loss
2 Barbara (2006) Top management commitment, adequate financial support, alignment of
DRP objectives with company goals, adoption of project management
techniques, presence of a formal recovery planning committee,
participation of representatives from each department, engagement of
external consultants, risk assessment, impact analysis, determination of
maximum allowable downtime, prioritization of IS applications, off-site
storage of backup, presence of emergency response procedures, training
of recovery personnel, appropriate backup site, periodical testing of
BC/DR plan, maintenance of DRP, insurance coverage of IS loss,
effective communication, service-level-agreements (SLAs), BC/DR
implementation plan and template
3 Chow and Ha Top management commitment, policy and goals, steering committee, risk
(2009) assessment and impact analysis, prioritization, minimum processing
requirements, alternative site, backup storage, recovery team, testing,
training, documentation, maintenance, IS function personnel participation
4 Hoong and Top management commitment, IT availability, technology competency,
Marthandan infrastructure advantages, business continuity benefits, organizational
(2011) readiness, external pressure to adopt BC, environment characteristics,
business environment, staff competencies, roles and responsibilities,
stakeholders relationships
5 Hoong and Top management commitment, IT availability, technology competency,
Marthandan complexity, BC benefits, organizational compatibility, external pressure
(2014) to adopt BC, infrastructure readiness, business environment, trading
partner readiness, roles and responsibilities.
6 El-Temtamy Top management commitment, business impact analysis, resources
et al. (2016) utilized in developing DRP, DRP documentation, employee readiness and
awareness, risk and threats, control and recovery strategies, exercising
testing
7 Cook (2015) Top management support, DR committee, DRP maintenance and staff
representation, training of DR team, DR testing, business impact analysis
and risk assessment
8 Haji (2016) Top management support, alignment of DRP goals with organization
objectives, DRP maintenance and staff representation, prioritization of
applications, DR testing, appropriate backup site, business impact
analysis and risk assessment, DRP documentation
9 The DR Top management support, prioritization of applications and services, DR
Preparation testing, appropriate back up site, DRP documentation.
Council (2014)
10 Karim (2011) Strategic management, business risk analysis, BCP resources, training
and awareness, BCP documentation, organization preparedness,
information life cycle management.
Notes: Italics shows ten identified CSFs (reported by three or more studies) – top
management support and commitment, DR committees, DRP maintenance and
staff representation, training of DR team, appropriate back up site, prioritisation of
applications and services, BIA and risk assessment, DRP documentation,
alignment of DRP Goals with organisational objectives, and DRP testing.
8 R. Ashrafi and H. AlKindi

El‐Temtamy et al. (2016) reviewed IT DRP practices in public companies listed in the
Abu Dhabi/UAE security exchange. They found the main factors in DR Planning to be:
top management support, BIA, resources utilised in developing DRP, DRP
documentation, employee preparedness and awareness, risks and threats, controls and
recovery strategies, and exercising testing.
Karim (2011) presented a conceptual model for measuring the factors of BCP and
Business Disaster Preparedness through the use of statistical indicators. Their paper
concludes that there is a significant effect on the successful preparedness to a disaster of:
strategic management, business risk analysis, training and awareness, and information
life cycle management.
Tu et al. (2018) conducted a CSF analysis of strategic vale alignment for information
security management. They found the top CSFs to be business alignment, top
management support, organisational awareness of security risks and control, and
performance evaluation.
Bakar et al. (2015) conducted a comprehensive review of the literature on BCM CSFs
and selected four broad factors: management support, external requirements,
organisational preparedness, and embeddedness of continuity practices. They proposed a
model that investigated the impact of these factors on the financial and non‐financial
performance of an organisation.
Haji (2016) reviewed BC practices in the airline industry and proposed solutions for
IT DR sites. Although Haji’s 2016 study is related to the airline industry, he has
identified the following critical factors: top management support, alignment of BC/DR
strategy with organisational goals, BIA, IT DR site, DR procedures, periodic testing of
applications, communication with staff, standard recovery framework, and ongoing
improvement of recovery strategy. These factors are equally applicable to other
industries.
Jarvelainen (2013) reported results of a survey of 84 IT Managers and CIOs on IT
incidents and business impact in large public and private organisations in Finland. She
developed and validated a framework for BC management in information systems. Her
results suggest that top management support is the key factor, and embeddedness of
continuity practices, organisational alertness and preparedness, and external requirements
have perceived business impacts.
The Disaster Recovery Preparedness Council (2014) in their annual report on the state
of global DR preparedness found that 73% of organisations failed in terms of disaster
readiness, and the incidence and costs of outages remain a major challenge for many
organisations. The main reasons for the losses were lack of DRP, testing, and resources.
The Council suggested having a detailed DR plan, defining DR metrics for RTOs and
RPOs, allocating adequate resources and budget, training DR staff, identification of
critical applications, preparation of a DR backup site, and frequent testing of critical
applications to validate recovery within defined RTOs/RPOs.
Cook (2015) examined 105 articles published during the last 20 years and developed
a six‐stage framework that includes not only technology, but also people and processes.
He conducted 21 semi‐structured interviews of senior IT managers from various industry
sectors in the USA to validate the framework’s applicability in real life settings. His
six‐stage BC/DR Planning cycle includes governance structure, plan initiation, BIA and
risk assessment, design\updating of the plan, testing/training, and maintenance. Important
elements of his framework include upper management support, strategic goals, list of
critical processes, BIA and risk assessment, specific time data for critical processes (e.g.,
 A framework for IS/IT disaster recovery planning 9

RTOs and RPOs), data storage, designing BC/DRP, testing and training, maintenance and
update of BC/DR Plan, budget, and back up.
Many studies have emphasised that the key to successful IT DR Planning depends on
several factors. For example, top management support is an essential element to ensure
ongoing funding and necessary resources (Chow, 2000; Nelson, 2006; Jarvelainen, 2013).
A number of researchers indicate that the periodic testing of DR Plans is to make sure
that the plan is up‐to‐date and is workable (Castillo, 2004; Enshasy, 2009; Chow and Ha,
2009; Mohamed, 2014). Other factors identified include: objective of DR Plan and its
alignment with organisation’s objectives (Chow, 2000; Barbara, 2006; Al-Hazmi and
Malaiya, 2013), conducting risk assessment and impact analysis (Wold, 2006), up‐to‐date
DR Plan document (Chow and Ha, 2009; Hoong and Marthandan, 2014), and
maintaining a backup site (Barbara, 2006; Chow and Ha, 2009).
Table 3 summarises various CSFs that were identified by researchers during the last
20 years.
Sahebjamnia et al. (2015) quoting Galindo and Batta (2013) reported that most of the
research gaps highlighted by Altay and Green (2006) have remained without any drastic
changes. This study attempts to fill that gap by identifying a set of the most important
CSFs, and developing a framework based on the TOE model. Based on the literature
review, we selected 10 CSFs that have been identified by 3 or more studies. It has been
found that there is a lack of research on assessing the effectiveness of DR Planning CSFs
(El‐Temtamy et al., 2016; Hoong and Marthandan, 2014; Sawalha, 2011). This study
attempts to fill this gap as well.
The following section discusses in more detail each CSF identified as important in the
literature review.
IT/IS DR planning CSFs.

2.1 Top management support and commitment

The support and commitment of top management is very important for the success of DR
Planning (Haji, 2016; Cook, 2015; Hawkins et al., 2000). Top management is responsible
for providing resources to meet the objectives and goals of the organisation (Blokdijk,
2008; Nelson, 2006; Botha and von Solms, 2004). DR Planning is a long‐term planning
activity, and therefore only the commitment of top management will ensure the ongoing
provision and availability of resources to support it (Haji, 2016; Wold, 2006; Chow,
2000). Furthermore, funding for DR Planning is considered one of the major barriers and
challenges by organisations. The cost of DR Planning from development through to
maintenance provide no immediate return on the money invested in it (Cook, 2015;
Wold, 2006; Chow and Ha, 2009). Therefore, financial support is very important to
ensure successful DRP launching (Barbara, 2006).

2.2 Alignment of DRP’s goals with an organisation objectives

Top management will be more committed to the DR Plan if the objectives of the DR Plan
are aligned with the organisation’s goals and objectives (Wong et al., 1994). Haji (2016)
and Chow (2000) emphasised that since DR Plan concerns the whole organisation it is
essential to align its scope and the objectives with the corporate mission. In addition,
Costello (2012) emphasises that a truly effective DR Plan should be linked to the critical
business needs.
10 R. Ashrafi and H. AlKindi

2.3 DR committee
Since the functions within the organisation will be affected by the development of DR
Plann, it is essential that the top management appoint a formal DR committee to
coordinate all the functional units in the organisation (Cook, 2015; Blokdijk, 2008;
Chow, 2000).
The purpose of appointing a formal DR committee is to perform risk analysis for all
functional areas throughout the organisation so that all the potential damage can be
minimised and plans for fast recovery are in place (Cook, 2015; Hawkins et al., 2000).

2.4 DR plan maintenance and staff representation

The involvement of representatives from all functional areas throughout the organisation
in the formal DR committee is essential for addressing different perspectives of DR Plan,
since those representatives are more familiar with the functional units (Haji, 2016;
Asgary et al., 2012; Chow and Ha, 2009). In addition, ensuring that the DR Plan is
regularly reviewed, updated, and evaluated is an essential task that needs to be done
periodically (Haji, 2016; Cook, 2015; Asgary et al., 2012; Chow and Ha, 2009).

2.5 Risk assessment and BIA

Risk assessment and BIA are used to assist the organisation in determining any possible
disaster that might affect critical business functions. Therefore, it is essential for the
recovery planning committee to perform a risk assessment and impact analysis
throughout the organisation’s functional areas (Haji, 2016; Cook, 2015; Blokdijk, 2008;
Wold, 2006). In addition, an effective DR Plan strategy depends on risk assessment and
impact analysis of the critical business functions (Haji, 2016; Cook, 2015; Blokdijk,
2008; Chow and Ha, 2009). Moreover, according to Hawkins et al. (2000), BIA identifies
the critical functions of the organisation which are essential to keep it running day‐to‐day.
Hence, risk assessment is performed on these critical business functions to identify
possible threats, for instance, natural disasters, hardware or software failures, or even
man‐made errors. In addition, losing information or critical business functions must
include a cost analysis which is performed by the planning recovery committee (Wold,
2006).

2.6 Prioritisation of applications and services

Not all applications in an organisation have equal importance; thus, ranking these
applications depends on how much the business will be affected if a disruption occurs
due to a disaster (Asgary et al., 2012; Chow and Ha, 2009; Blokdijk, 2008). When DR
Plan is developed, critical applications will have different protective levels which need to
be considered carefully (Haji, 2016; Asgary et al., 2012; Costello, 2012; Blokdijk, 2008;
Wold, 2006).

2.7 Appropriate backup site

Off‐site storage of backup refers to how the critical data of the organisation will be
backed up and kept safe off‐site, where the organisation can easily retrieve and restore it
 A framework for IS/IT disaster recovery planning 11

immediately after a disaster occurs (Haji, 2016; Barbara, 2006). Hence, the off‐site
location should be placed at a fair distance from the organisation’s location so that if a
disaster strikes the organisation, the off‐site location will not be impacted (Chow and Ha,
2009). There are different options for an off‐site backup strategy. The first of these
options is a ‘hot‐site’ where there are redundant systems, applications, and infrastructure
that are identical to the distantly‐located production site, and where staff can be relocated
immediately. A ‘warm‐site’ is the second backup strategy, the difference between
‘warm‐’ and ‘hot‐site’ being that ‘warm‐site’ requires little configuration (Peterson,
2009). The third option is a ‘cold‐site’, which is typically an empty office with minimum
requirements of infrastructure (Peterson, 2009). Only a slight disruption in the processes
of the organisation can have a significant impact on its survival. A ‘hot‐site’ might be the
only alternative where data is being duplicated through standby mode.

2.8 DRP testing

Testing the DR Plan is crucial to making sure that it is effective in the event of a disaster
(Cook, 2015; Chow and Ha, 2009). The DR Plan can become obsolete through the
business changes which happen continuously, so testing the DR Plan is essential
(Barbara, 2006). The main purpose of testing is to ensure that the DR Plan is reliable and
accurate in case the organisation is disturbed by an incident. Its periodic testing proves
the capability of the organisation to recover. However, according to The State of Global
Disaster Recovery Preparedness (2014), statistics show that 23% of respondents have
never tested their DR Plan, and 65% did not pass the DR Plan test. These statistics
indicate the shortfall of DR Plan testing in most organisations, despite the fact that
periodic DR Plan testing is considered to be very useful for training and for obtaining
valuable information before a real disaster situation occurs (Barbara, 2006). There are a
number of test programs to test DR Plan, such as the walk‐through test, the checklist test,
the simulation test, parallel tests, and full interruption tests (Wold, 2006).

2.9 DR plan documentation

It is believed that a DR Plan is a living document which needs to be updated continually
as business processes and functions change (Haji, 2016; Blokdijk, 2008; Nelson, 2006).
In addition, due to quick changes in IS technology and in business strategy, it is essential
to review the DR Plan as often as possible (Chow, 2000). In order to ensure an efficient
recovery from disaster, it is vital to document roles, responsibilities, process
accountability, and ownership (Hoong and Marthandan, 2011). The DR Plan must
include all the resources and data required, and the actions to be taken in order to manage
the recovery of business functions in the event of business interruption in order to assist
the organisation in the restoration of business processes (Mark, 2013).

2.10 Training of the DR team

When the implementation of the DR Plan is ready, a training program is required to
ensure that all staff is aware of their roles and responsibilities (Cook, 2015; Chow and
Ha, 2009). The effectiveness of DR Plan will be compromised if any of the staff are
unaware of their roles and responsibilities (Barbara, 2006). Training can be provided to
the staff through various educational methods, i.e. in‐house training, external consulting,
12 R. Ashrafi and H. AlKindi

walkthrough, and even simulation (Barbara, 2006). Moreover, training the staff will
minimise the potential for operational errors during a real disaster (Chow and Ha, 2009).
Thus, proper training is essential to ensure that DRP procedures are achieved as planned.
A number of studies have identified the need of suitable frameworks for IT DR
Planning and business continuity. Jarvelainen (2013) reported that no frameworks for
information system continuity management have yet been validated. They proposed a
framework and validated it in a survey of IT managers in large private organisations and
public organisations in Finland. Sahebjamnia et al. (2015) found that DR Planning for
business still lacks a methodological direction.
In the next section, we develop a framework for DRP that consists of the identified
DRP CSFs and is based on the TOE framework.

3 Framework development

Crises and disaster preparedness has become an important function in organisations of all
types, whether they are financial, engineering, telecommunications, banking or health
service providers (Wrobel, 2008). Crises and emergencies can happen at any time in any
organisation. Therefore, through proper planning for unexpected catastrophic events,
organisations can be better prepared to handle these unforeseen events.
Successful crises and DR management incorporates organisational programs and
awareness; for example, DRP, BCP, and crises management. Furthermore, DRP requires
all the organisation’s departments to work together in order to reach the ultimate goal of
having successful and effective DRP (Lockwood, 2005). An effective DR Plan should be
a comprehensive document covering management, technical, operational, and regulatory
aspects, so that roles and responsibilities are clear and it is easy to implement.

IT DR planning framework
In this section we propose a framework based on the above identified CSFs for DR
Planning and DR Plan effectiveness. This framework is based on the TOE framework.
The TOE framework was developed by DePietro et al. (1990) and it uses three contexts
to influence IT adoption: TOE. The ‘environment context’ refers to the outside influences
that affect the organisation such as stockholders, government compliance and regulators,
competitors, and customers. The ‘organisation context’ refers to the characteristics and
structure of the organisation, the methods used within it, the decision‐making flow, the
internal communication, and the boundary with external communication. The
‘technology context’ refers to the technology competence the organisation has and its
technology solution implementation, technical skills, and technology infrastructure
resources (Scott, 2007; Angeles, 2014). Next, we provide details of the proposed
framework for effective IT DR Planning.

3.1 Technology perspective

It is believed that technology has accelerated business operations and made them much
more efficient and effective (“Business Continuity Disaster Recovery Plan Steps”, n.d).
Technology is considered to be one of the most important elements of DRP but it needs
 A framework for IS/IT disaster recovery planning 13

to be selected wisely and, most importantly, tested properly. As discussed in Section 2,

appropriate off‐site backup is very important for the recovery of mission‐critical data.
Within the organisation there are applications, technical processes, and services that
have different degrees of importance. Thus it is essential that IT people should give
priority to all the critical applications and services (Costello, 2012; Wold, 2006).
However, prioritisation of these critical applications will be identified through
coordination between the DRP committee team and the IT people. Off‐site back‐up and
prioritisation of applications and services is therefore considered to be a critical factor
which is categorised under the technological perspective.

3.2 Organisation
In the organisation perspective, we consider management and operational perspective
separately for clarity and due to their nature.

3.2.1 Management perspective

It is believed that strong support and commitment from senior management plays an
important role in DRP (Catania, n.d). On the other hand, lack of support from senior
management for DRP reduces its effectiveness considerably (Nelson, 2006). Within the
organisation, the management can help to promote DR by establishing a DR committee
that consists of both IT and business people.
Furthermore, DRP implementation is a strategic decision, since business availability,
asset protection, legal compliance, and managing operational risks are all strategic
matters. Therefore, it is vital to ensure that the goal of DRP is aligned with the strategic
goals of the organisation (DiMaria, 2014).
Another vital factor that could impair the effectiveness of DR Planning is providing
inadequate funding for DRP. Therefore, the extensive commitment of organisational
resources and funds is considered essential to reduce the threat and minimise the hazard
of catastrophic events (Harrald, 2006).
Based on the above discussion, the following factors are categorised under
organisation – management perspective: top management support and commitment,
adequate funding for DR Planning, and alignment of DR Planning goals with the
objectives of the organisation.

3.2.2 Operational perspective

Many authors agree that DRP requires having a formal DR committee that will
coordinate with all organisational units (Chow, 2000). One of the critical functions of the
formal DRP committee is to perform risk assessments on all functional areas throughout
the organisation so that all potential damage caused by disasters can be determined
(Hawkins et al., 2000). Moreover, involvement of representatives from all functional
areas throughout the organisation in the DR committee is essential in order to cover and
address different perspectives of various DRP stakeholders, since these representatives
are more familiar with the functional units (Chow and Ha, 2009). The reviewing and
updating of DR Planning is, furthermore, an essential and ongoing operation for the
organisation to avoid failure and ineffectiveness of DR Plan (Chow, 2000). Thus, the DR
Plan should be updated periodically in order to reflect the most recent changes within the
14 R. Ashrafi and H. AlKindi

organisation. With an obsolete plan, recovering from a disaster will be difficult or, in the
worst‐case scenario, impossible. Therefore, the reviewing and updating of the DRP on an
ongoing basis is a vital process that must be carried out carefully.
Based on the above discussion, the following factors are categorised from an
organisation – operational perspective: DRP committee, DR Plan update, the
participation of organisational representatives, and the training of recovery personal.

3.3 Environment perspective

An organisation also needs to consider legal and regulatory compliance for DRP, which
may affect DR Planning efforts. It is necessary to understand that all types of security
breach which affect sensitive data are a kind of disaster that may have a negative impact
on an organisation’s finances and reputation, and could lead to potential legal action.
Therefore, the corporation needs to pay attention to the type of data they are dealing with
and avoid any potential risk. They should also have recovery procedures in place to avoid
such incidents (Snedaker, 2013), as organisations that show non-compliance with legal
requirements have ended up with high costs in litigation, fines, and settlement fees which
are enforced by government regulatory agencies (Snedaker, 2013). Moreover, Sendaker
(2013) mentioned that since 2005 there have been more than 3600 public data security
breaches which have affected around one billion records. Approximately 81% of these
incidents resulted from accounts being hacked (Sendaker, 2013). In 2011, Sony’s
PlayStation Network was affected by one of the largest security data breaches ever: 77
million records were hacked, including unencrypted credit card data (Sakel, 2011). In
response, Sony was expected to spend around $170 million on personal information theft
protection programs (Sakel, 2011).
It is clear that these legalities and regulations do have an impact on an organisation’s
DRP. Organisations should obtain input from the legal or compliance officer within the
organisation in order to gain valuable input into its requirements and develop a compliant
DR Plan (Sendaker, 2013). However, CEOs and board of directors can be held liable for
lack of DRP preparedness when the organisation fails to comply with regulations and
mandatory DRP measures. In addition, according to The Federal Financial Institutions
Examination Council Guidelines USA (Business Continuity Planning, 2015) board
members and CEOs are required to allocate sufficient resources to DR Planning. The
guidelines further describe how the organisation should control and identify risks by
conducting BIA and keeping risk assessment DR Plan documents up‐to‐date. In addition,
they must ensure that a test of the DR Plan is carried out at least annually (Wrobel, 2008).
According to Sarbanes-Oxley (SOX) Act 2002, Section 404, companies are required to
establish an internal control structure for conducting risk assessment and impact analysis
so that internal and external risks and threats are identified and analysed.
Disaster Recovery Organization (2020) show that DR Plan documentation must be
kept up‐to‐date and any changes in the business process must be added carefully to DR
Plan documentation. Thus, DR Plan documentation can be related to the legal and
regulatory perspective.
In addition, as the DR Plan may become obsolete over time, testing is vital. The main
aim of this is to ensure its effectiveness (Barbara, 2006). Periodic testing of the DR plan
proves the capability of the organisation to recover. However, as The State of Global
Disaster Recovery Preparedness (2014) survey showed, 23% of the respondents never
test their DR Planning, while 65% did not pass the DR Plan testing. Furthermore, DR
 A framework for IS/IT disaster recovery planning 15

Planning is a process, and thus it is necessary that all roles and responsibilities of both
managers and employees are clearly documented (Hoong and Marthandan, 2014). DR
Plan testing can therefore be linked directly with the legal and regulatory perspective.
Table 4 summarises all the above categorised factors in line with TOE framework.
Table 4 TOE framework – categorisation of CSFs

TOE framework Modified TOE framework Critical success factors (CSFs)

Technology Technology 1 Appropriate backup site
2 Prioritisation of application and services
Organisation Management 3 Top management support and
commitment
4 Alignment of DRP’s goals with
organisation’s objectives
Operational 5 DR committee
6 DRP maintenance and staff
representation
7 Training of DR team
Environment Legal and Regulatory 8 Business impact analysis (BIA) and risk
assessment
9 DRP documentation
10 DRP testing

3.4 DR plan effectiveness

In this study we also investigate DR Plan effectiveness and its relationship with the DR
Plan CSFs. Literature review indicates that there is a lack of study on DR Plan
effectiveness, and therefore it is difficult to find a proper definition for DR Plan
effectiveness. Without a clear definition, it is difficult to measure it.
According to the Oxford Dictionary, the word ‘effectiveness’ is an adjective of the
word ‘effective’ (‘Meaning of Effective’, n.d), which is defined as “successful in
producing a desired or intended result”. In addition, Thordarson (2014) defined
‘effectiveness’ as the comparison of the desired effect with the actual effect that has been
produced within a similar entity or time frame. There are many empirical studies that
have shown a positive relationship between effectiveness and other factors.
Some studies emphasise that an effective DR Plan measures its effectiveness through
RTO and RPO metrics (Al-Hazmi and Malaiya, 2013; The State of Global Disaster
Recovery Preparedness, 2014; Gibb and Buchanan, 2006) According to the State of
Global Disaster Recovery Preparedness (2014), two thirds of the respondents (60%) did
not set RTO and RPO metrics. Setting these metrics can help to raise the expectations of
top management, employees, and customers concerning DR effectiveness and can help to
improve the Plan itself as well (The State of Global Disaster Recovery Preparedness,
2014).
DR Planning effectiveness is a set of documented instructions executed in the event
of disaster, where the desired goals of the plan are executed in such a way as to ensure
that the defined RTO and the RPO are achieved.
16 R. Ashrafi and H. AlKindi

Thus, based on the above discussion, to measure the effectiveness of the DR plan
within an organisation the best metrics used are RTO and RPO, where these two factors
should not be greater than the MADT or MTPD.
We suggest that all of the 10 identified CSFs can be modelled on the TOE framework
and represent independent factors. Figure 1 presents the suggested framework for DR
Planning, and shows the 10 identified CSFs in this study represented as the independent
factors while DRP effectiveness is the dependent factor. In addition, Figure 1 shows that
each CSF is within its perspective of TOE framework as identified in this study.

Figure 1 Suggested DRP framework

Technology

Technology

Appropriate Backup Site

Prioritisation of Application
and Services

Organisation

Management

Top Management Support

and Commitment

Alignment of DRP’s Goals

with Organisation Objecticves

Operational
DRP
Disaster Recovery Committee Effectiveness

DRP Maintenance and Staff

Representation

Training of DR Team

Environment
Legal and Regulatory

Business Impact Analysis (BIA)

and Risk Assessment

DRP Documentation

DRP Testing
 A framework for IS/IT disaster recovery planning 17

4 Conclusions

4.1 Key findings of the study and its contributions

This study builds on earlier work by Barbara (2006) and Chow and Ha (2009), and
develops a set of 10 CSFs based on the criteria that those CSFs were reported by three or
more studies in the literature. The list of CSFs includes: top management support,
alignment of DRP goals and organisation’s objectives, DR planning committee, DR Plan
maintenance and staff representation, risk assessment and BIA, prioritisation of
applications and services, appropriate backup site, DR Plan testing, DR Plan
documentation, and training of the DR Team.
This research identified a gap in the literature, and found that there is a lack of a
suitable framework for effective DR Plan. To fill this gap, this study first identified a set
of 10 CSFs, then defined Effectiveness of DR Plan and developed measurements for IT
Effectiveness. Finally, the study proposed a framework based on TOE.

4.2 Study contribution

This study contributes to the knowledge area of IT DRP by conducting a comprehensive
review of the literature on IT DR Planning. Moreover, this study identified the top ten
CSFs for IT DR Planning from the literature. The study defined effectiveness of IT DRP
and developed measurements for effectiveness. This study investigated the cause‐effect
relationship between CSFs and their effectiveness. Based on the identified CSFs, this
study developed a framework which could be used for measuring the effectiveness of IT
DRP. This study builds on previous research, and will help organisations improve their
DRP and become more effective in dealing with disasters.

4.3 Recommendations for organisations

This study identified 10 CSFs and developed a framework that could help organisations
decide on which areas to focus and how to organise for effective DRP.

4.4 Limitations of the study and suggestions for future research

The study selected 10 CSFs that were reported important by three or more studies from a
list of 21 CSFs; some of the CSFs from the 21 CSFs in the list may be applicable to some
types of organisations. A survey may be used to validate the proposed framework. Lastly,
there is an opportunity to expand the subject area of this research to the knowledge area
of BCM and its practice in a country. The suggested framework may be validated for
SMEs and/or government and private organisations.

Acknowledgements

The authors would like to thank Sultan Qaboos University for providing excellent
research facilities. Thanks to Amy Torre for her work in editing the paper. Also, the
authors would like to thank the reviewers for their valuable comments to improve the
paper.
18 R. Ashrafi and H. AlKindi

References
Al-Hazmi, O. and Malaiya, Y. (2013) ‘Evaluating disaster recovery plans using the cloud.
Reliability and Maintainability Symposium (RAMS)’, IEEE Proceedings‐Annual, pp.1–6,
Orlando, Florida, USA.
Altay, N. and Green, W.G. (2006) ‘OR/MS research in disaster operations management’, European
Journal of Operational Research, Vol. 175, No. 1, pp.475–493.
Angeles, R. (2014) ‘Using the technology‐organization‐environment framework for analyzing
Nike’s ‘considered index’ green initiative, a decision support system‐driven system’, Journal
of Management and Sustainability, Vol. 4, No. 1, pp.96–113.
Asgary, A., Anjum, M. and Azimi, N. (2012) ‘Disaster recovery and business continuity after the
2010 flood in Pakistan: case of small businesses’, International Journal of Disaster Risk
Reduction, Vol. 2, No. 1, pp.46–56.
Baham, C., Hirschheim, R., Calderon, A. and Kisekka, V. (2017) ‘An agile methodology for the
disaster recovery of information systems under catastrophic scenarios’, Journal of
Management Information Systems, Vol. 34, No. 3, p.633, DOI: 10.1080/07421222.2017
.1372996.
Bakar, Z.A., Yaacob, N.A. and Udin, Z.M. (2015) ‘The effect of business continuity management
factors on organizational performance: a conceptual framework’, International Journal of
Economics and Financial Issues, Vol. 5, No. 5, Special issue, pp.128–134 [online]
https://www.econjournals.com/index.php/ijefi/article/view/1379/pdf (accessed 4 November
2020).
Barbara, M. (2006) Determining the Critical Success Factors of an effective Business
Continuity/Disaster Recovery Program in a Post 9/11 World: A Multi‐Method Approach,
Master’s thesis, Concordia University, Canada [online] https://spectrum.library.concordia.ca/
9033/ (accessed 4 November 2020).
BCMPedia (n.d.) MADT and MTPD defined in BCMpedia [online] http://www.bcmpedia.org
/wiki/Maximum_Allowable_Downtime_(MAD) (accessed 20 December 2016).
Blokdijk, G. (2008) Disaster Recovery 100 Success Secrets: IT Business Continuity, Disaster
Recovery Planning and Services, Emereo Publishing. Newstead, Queensland, Australia.
Botha, J. and von Solms, R. (2004) ‘A cyclic approach to business continuity planning’,
Information Management & Computer Security, Vol. 12, No. 4, pp.328–337.
Business Continuity Disaster Recovery Plan Steps (n.d) In Disaster Recovery Organization [online]
http://www.disasterrecovery.org/plan_steps.html (accessed 20 May 2015).
Business Continuity Planning (2015) Federal Financial Institutions Examination Council [online]
http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf
(accessed 20 September 2015).
Castillo, C. (2004) ‘Disaster preparedness and business continuity planning at boeing: an integrated
model’, Journal of Facilities Management, Vol. 3, No. 1, pp.8–26.
Catania, P. (n.d) Are you Prepared? – How to Accomplish Disaster Recovery and Business
Continuity Planning, Disaster Resource Guide [online] http://www.disaster‐resource.com/
index.php?option=com_content&view=article&id=1615 (accessed 27 June 2015).
Chow, W. (2000) ‘Success factors for IS disaster recovery planning in Hong Kong’, Information
Management & Computer Security, Vol. 8, No. 2, pp.80–87 [online] http://130.18.86.27/
faculty/warkentin/SecurityPapers/Robert/Others/Chow2000_IMCS8_2_DisasterRecoveryHon
gKong.pdf (accessed 4 November 2020).
Chow, W. and Ha, W. (2009) ‘Determinants of the critical success factor of disaster recovery
planning for information systems’, Information Management & Computer Security, Vol. 17,
No. 3, pp.248–275.
Cook, J. (2015) ‘A six‐stage business continuity and disaster recovery planning cycle’,
SAM Advanced Management Journal, Vol. 80, No. 3, pp.23–34 [online]
https://search.proquest.com/docview/1725174951/abstract/1C5777E6EECB4D69PQ/1?accoun
tid=27575 (accessed 4 November 2020)
 A framework for IS/IT disaster recovery planning 19

Costello, T. (2012) ‘Business continuity: beyond disaster recovery’, IT Professional,

September–October, Vol. 14, No. 5, pp.64–64, doi: 10.1109/MITP.2012.92, (accessed 4
November 2020).
DePietro, R., Wiarda, E. and Fleischer, M. (1990) ‘The context for change: organization,
technology and environment’, in Tornatzky, L.G. and Fleischer, M. (Eds.): The Processes of
Technological Innovation, Lexington Books: Lexington, MA, pp.151–175.
DiMaria, J. (2014) ‘Getting Buy‐In for a business continuity management system’, Disaster
Recovery Journal, Vol. 27, No. 2 [online] http://www.drj.com/journal/spring‐2014‐
volume‐27‐issue‐2/getting‐buy‐in‐for‐a‐business‐continuity‐management‐system.html
(accessed 5 October 2015).
Disaster Recovery Organization (2020) IT Disaster Recovery Plan in IT Disaster Recovery
Organization [online] https://www.disasterrecovery.org/it-disaster-recovery/ (accessed 4
Novemeber 2020).
El-Temtamy, O., Majdalawieh, M. and Pumphrey, L. (2016) ‘Assessing IT disaster recovery plans:
The case of publicly listed firms on Abu Dhabi/UAE security exchange’, Information and
Computer Security, Vol. 24, No. 5, pp.514–533 [online] https://doi.org/10.1108/ICS-04-2016-
0030 (accessed 4 November 2020).
El‐Temtamy, O., Majdalawieh, M. and Pumphrey, L. (2016) ‘Assessing IT disaster recovery plans:
The case of publicly listed firms on Abu Dhabi/UAE security exchange’, Information and
Computer Security, Vol. 24, No. 5, pp.514–533 [online] https://doi.org/10.1108/ICS-04-2016-
0030 (accessed 4 November 2020).
Enshasy, M. (2009) Evaluating Business Continuity and Disaster Recovery Planning in
Information Technology Departments in Palestinian Listed Companies, MBA dissertation,
The Islamic University Gaza, Gaza [online] https://iugspace.iugaza.edu.ps/bitstream/handle/
20.500.12358/19824/file_1.pdf?sequence=1&isAllowed=y (accessed 4 November 2020).
Galindo, G. and Batta, R. (2013) ‘Review of recent developments in OR/MS research in disaster
operations management’, European Journal of Operational Research, Vol. 230, No. 2,
pp.201–211.
Gibb, F. and Buchanan, S. (2006) ‘A framework for business continuity management’,
International Journal of Information Management, Vol. 26, No. 2, pp.128–141.
Gu, Y., Wang, D. and Liu, C. (2014) ‘DR‐cloud: multi‐cloud based disaster recovery service’,
Tsinghua Science and Technology, Vol. 19, No. 1, pp.13–23 [online]
https://ieeexplore.ieee.org/document/6733204 (accessed 4 November 2020).
Haji, J. (2016) ‘Airline business continuity and IT disaster recovery sites’, Journal of Business
Continuity & Emergency Planning, Vol. 9, No. 3, pp.228–38 [online]
https://www.ingentaconnect.com/content/hsp/jbcep/2016/00000009/00000003/art00004
(accessed 4 November 2020).
Harrald, J. (2006) ‘Agility and discipline: critical success factors for disaster response’, The Annals
of the American Academy of political and Social Science, Vol. 604, No. 1, pp.256–272
[online] https://www.jstor.org/stable/25097791?seq=1 (accessed 4 November 2020).
Hawkins, S., Yen, D. and Chou, D. (2000) ‘Disaster recovery planning: a strategy for data
security’, Information Management & Computer Security, Vol. 8, No. 5, pp.222–230 [online]
http://130.18.86.27/faculty/warkentin/SecurityPapers/Robert/Others/HawkinsYenChou2000_I
MCS8_5_DisasterRecoveryPlanning.pdf (accessed 4 November 2020).
Hiller, M., Bone, E.A. and Timmins, M.L. (2015) ‘Healthcare system resiliency: the case for taking
disaster plans further – Part 2’, Journal of Business Continuity & Emergency Planning, Vol. 8,
No. 4, pp.356–375 [online] https://pubmed.ncbi.nlm.nih.gov/25990980/ (accessed 4
November 2020).
Hoong, L. and Marthandan, G. (2011) ‘Factors influencing the success of the disaster recovery
planning process: a conceptual paper’, in 2011 International Conference on Research and
Innovation in Information Systems, pp.1–6, Kuala Lumpur, Malaysia.
20 R. Ashrafi and H. AlKindi

Hoong, L. and Marthandan, G. (2014) ‘Critical dimensions of disaster recovery planning’,

International Journal of Business and Management, Vol. 9, No. 12, pp.145–158 [online]
http://www.ccsenet.org/journal/index.php/ijbm/article/view/39550 .14 November 2020).
Jarvelainen, J. (2013) ‘IT incidents and business impacts: validating a framework for continuity
management in information systems’, International Journal of Information Management,
Vol. 33, No. 3, pp.583–590.
Kappleman, L., McLean, E., Liftman, J. and Johnson, V. (2013) ‘Key issues of IT organizations
and their relationship’, The 2013 SIM IT Trends Study. MIS Quarterly Executive, Vol. 12,
No. 4, pp.227–240.
Karim, A.J. (2011) ‘Business disaster preparedness: an empirical study for measuring the factors of
business continuity to face business disaster’, International Journal of Business & Social
Science, Vol. 2, No. 18, pp.183–192 [online] https://www.semanticscholar.org/paper/
Business-Disaster-Preparedness-%3A-An-Empirical-Study-
Karim/0e19ca3ebfc10af9822b1cab63842a91788eb4d7 (accessed 4 November 2020).
Lewis, W., Watson, R. and Pickren, A. (2003) ‘An empirical assessment of IT disaster risk’,
Communications of the ACM, Vol. 46, No. 9, pp.201–206 [online]
https://www.researchgate.net/publication/220421316_An_empirical_assessment_of_IT_disast
er_risk (accessed 4 November 2020).
Lockwood, N.R. (2005) ‘Crisis management in today’s business environment: HR’s strategic role’,
SHRM Research Quarterly, Vol. 50, No. 12, pp.1–10 [online] https://www.shrm.org/hr-
today/news/hr-magazine/documents/1205rquartpdf.pdf (accessed 5 November 2020).
Mark, C. (2013) Avoiding Disaster Recovery Epic Fails [online] http://www.drj.com
/752‐avoiding‐disaster‐recovery‐epic‐fails/file.html (accessed 20 April 2015).
Miles, S.B. and Chang, S.E. (2006) ‘Modelling community recovery from earthquakes’,
Earthquake Spectra, Vol. 22, No. 2, pp.439–458 [online] https://journals.sagepub.com/doi/
abs/10.1193/1.2192847 (accessed 5 November 2020).
Mohamed, H.A.R. (2014) ‘A proposed model for It Disaster recovery plan’, International Journal
of Modern Education and Computer Science (IJMECS), Vol. 6, No. 4, pp.57–67.
Nair, V. (2014) ‘Ensuring IT service continuity in the face of increasing threats’, Journal of
Business Continuity & Emergency Planning, Vol. 7, No. 4, pp.278–291 [online]
https://www.henrystewartpublications.com/jbcep/v7 (accessed 4 December 2020).
Nelson, K. (2006) ‘Examining factors associated with IT disaster preparedness’, Proceedings of the
39th Hawaii International Conference on System Science, IEEE, Hawaii, USA, pp.205b–205b.
Omar, A., Alijani, D. and Mason, R. (2011) ‘Information technology disaster recovery plan: case
study’, Academy of Strategic Management Journal, Vol. 10, No. 2, pp.127–141 [online]
https://www.researchgate.net/publication/285789793_Information_technology_disaster_recov
ery_plan_Case_study (accessed 4 November 2020).
Oxford Dictionaries Online: Meaning of ‘Effective’ in the English Dictionary (n.d) In Oxford
Dictionaries Online [online] https://en.oxforddictionaries.com/definition/effective (accessed 7
October 2015).
Perna, G. (2014) Healthcare Informatics: Our Infrastructure Isn’t Prepared for Disaster Recovery
[online] http://www.healthcareinformatics.com/News‐item/Hit‐Execs‐Our‐our-infrastructure‐
isn’t‐prepared‐for‐disaster‐recovery (accessed 30 January 2017).
Peterson, C. (2009) ‘Business continuity management & guidelines’, in 2009 Information Security
Curriculum Development Conference, pp.114–120, ACM, New York, USA.
Pinta, J. (2011) ‘Disaster recovery planning as part of business continuity management’, AGRIS
on‐line Papers in Economics and Informatics, Vol. 3, No. 4, pp.55–61 [online]
file:///Users/rafiashrafi/Downloads/agris_on-line_2011_4_pinta.pdf (accessed 4 November
2020)
Rockart, J.F. (1979) ‘Chief executives define their own data needs’, HBR, March, Vol. 57, No. 2,
pp.81–93.
 A framework for IS/IT disaster recovery planning 21

Sahebjamnia, N., Torabi, S.A. and Mansouri, S.A. (2015) ‘Integrated business continuity and
disaster recovery planning: towards organizational resilience’, European Journal of
Operational Research, Vol. 242, No. 1, pp.261–273.
Sakel, K (2011) Sony PlayStation Network Hack Is Just the Beginning of Giant Data Thefts:
Experts [online] http://www.huffingtonpost.com/2011/05/06/playstation‐theft‐sony‐hack
_n_858355.html (accessed 15 October 2015).
Sarbanes‐Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements
(2009) United States Securities and Exchange Commission [online] https://www.sec.gov/news
/studies/2009/sox‐404_study.pdf (accessed 20 September 2015).
Sawalha, I.H. (2011) Business Continuity Management and Strategic Planning: The Case of
Jordan, Doctoral dissertation, University of Huddersfield, UK [online]
http://eprints.hud.ac.uk/id/eprint/10172/ (accessed 4 November 2020).
Scott, J. (2007) ‘An e‐transformation study using the technology‐organization‐environment
framework’, 20th Bled eConference eMergence: Merging and Emerging Technologies,
Processes, and Institutions, pp.50–61, Bled, Slovenia [online] https://core.ac.uk/download/
pdf/301359173.pdf (accessed 4 November 2020).
Snedaker, S. (2013) Business Continuity and Disaster Recovery Planning for IT Professionals,
2nd ed., Syngress, Rockland.
Statewide Disaster Recovery Planning for Information Technology Systems (2010) The Montana
Legislature [online] http://leg.mt.gov/content/Publications/Audit/Report/10DP‐01.pdf
(accessed 20 May 2015).
The DR Preparation Council (2014) [online] https://www.unitrends.com/wp-content/uploads/
ANNUAL_REPORT-DRPBenchmark_Survey_Results_2014_report.pdf (accessed 9
November 2020).
The State of Global Disaster Recovery Preparedness (2014) Disaster Recovery Preparedness
Council [online] http://drbenchmark.org/wp-content/uploads/2014/02/ANNUAL_
REPORTDRPBenchmark_Survey_Results_2014_report.pdf (accessed 19 February 2015).
Thordarson, T.B. (2014) Use of Funds in a Nonprofit Organization as Predictor of
Organizational Effectiveness and Efficiency, Dissertations, Paper 730 [online]
https://digitalcommons.andrews.edu/cgi/viewcontent.cgi?article=1729&context=dissertations
(accessed 4 November 2020).
Tu, C.Z., Yuan, Y., Archer, N. and Connelly, C.E. (2018) ‘Strategic value alignment for
information security management: a critical success factor analysis’, Information & Computer
Security, Vol. 26, No. 2, pp.150–170.
Wali, A., Deshmukh, S. and Gupta, A. (2003) ‘Critical success factors of TQM: a select study of
Indian organizations’, Production, Planning and Control, Vol. 14, No. 1, pp.3–14.
Wold, G. (2006) ‘Disaster recovery planning process’, Disaster Recovery Journal, Vol. 5, No. 1,
part 1 of 3 [online] file:///Users/rafiashrafi/Downloads/disater%20recovery%20Part%
20I%20of%20III%20(1).pdf (accessed 4 November 2020).
Wong, B., Monaco, J. and Sellaro, C. (1994) ‘Disaster recovery planning: Suggestions to top
management and information systems managers’, Journal of Systems Management, Vol. 45,
No. 5, pp.28–33.
Wrobel, L. (2008) Business Resumption Planning, 2nd ed., CRC Press, Boca Raton, Florida, USA.
Yang, C-L., Yuan, B. and Huang, C‐Y. (2015) ‘Key determinant derivations for information
technology disaster recovery site selection by the multi‐criterion decision making method’,
Sustainability, Vol. 7, No. 5, pp.6149–6188.