A small business IT disaster recovery plan should tell people what to do when normal systems are unavailable. It does not need to be a hundred-page manual, but it must contain enough detail to guide decisions when email, files, servers, internet access or key applications have failed.
The plan sits beneath wider business continuity. Continuity asks how the organisation keeps delivering its service; IT disaster recovery focuses on restoring the technology and data that service depends on.
Start with business activities, not technology
List the activities that must continue: taking orders, providing client services, accessing case files, processing payments, communicating with staff or running production. Then identify the systems and information behind each activity.
This prevents a common mistake—treating the largest server as the highest priority when a smaller application may be more important to daily operations.
Speak to department leaders. They may rely on spreadsheets, shared mailboxes or supplier portals that are not visible in the formal system list.
Set recovery priorities
Two measures help frame the discussion:
- Recovery time objective: the target time for restoring a service after disruption.
- Recovery point objective: the maximum acceptable amount of recent data loss, expressed as time.
These are business decisions supported by technical advice. If a system can be unavailable for two days, the recovery design can differ from one needed within an hour. If losing a morning’s work is unacceptable, backup frequency must reflect that.
A target is not a guarantee. It should be realistic, tested and supported by suitable technology and people.
Map dependencies
Applications depend on more than their own server. Recovery may also require identity services, internet connectivity, DNS, licences, encryption keys, supplier access and compatible devices.
Draw a simple dependency map for each critical service. For example, restoring cloud files is of limited use if employees cannot authenticate or have no working laptops.
Include physical dependencies such as power, network equipment and access to the building.
Design backups around recovery needs
Backups should cover the data and systems identified in the impact review. Confirm frequency, retention, storage location, encryption and monitoring.
Keep recovery copies appropriately separated from the live environment. If the same compromised administrator can delete production data and every backup immediately, the design has a serious weakness.
Cloud services also need consideration. Our guide to Microsoft 365 backup explains why platform resilience and business recovery are not the same thing.
Write clear activation criteria
Not every IT fault is a disaster. Define who can activate the plan and what conditions justify it. Examples include an office-wide outage expected to exceed a threshold, confirmed ransomware, loss of a critical cloud service or destruction of onsite equipment.
Premature activation can create confusion; waiting too long can increase damage. The decision-maker needs access to technical advice and authority to coordinate departments.
Assign roles before an incident
Name roles rather than relying only on individual people. The plan should cover:
- incident leadership and business decisions;
- technical investigation and recovery;
- communication with employees;
- customer, supplier and insurer contact;
- legal, regulatory and data-protection advice;
- recording actions and decisions.
Provide deputies. A plan that depends on one director being reachable is not resilient.
Prepare an offline contact and access pack
If Microsoft 365 is unavailable, a contact list stored only in SharePoint cannot help. Keep a protected, current copy of essential contacts and recovery instructions outside the systems they support.
Include IT support, internet providers, software vendors, cyber insurance contacts, landlords, senior staff and any specialist recovery suppliers. Store sensitive recovery information securely; an offline copy must not become an unprotected password list.
Plan alternative ways of working
Technology recovery may take time. Decide how the business will operate meanwhile. Can staff work from another location? Is there an approved way to contact employees? Which manual processes can be used temporarily, and how will information be entered back into systems later?
Be precise about data protection. An emergency does not justify moving confidential information into personal email accounts or unapproved consumer services.
Include cyber incidents
A ransomware or account-compromise recovery differs from a simple hardware failure. Restoring too quickly can reintroduce the cause, destroy evidence or expose clean backups.
The plan should require containment and investigation before large-scale restoration. Coordinate with your Business IT Support provider, insurer and relevant advisers. If personal data may be involved, obtain appropriate legal and data-protection guidance promptly.
Test realistic scenarios
A backup restore is essential, but it is not the whole plan. Run tabletop exercises with management: the internet connection has failed, Microsoft 365 accounts are compromised, the server will not start, or the office cannot be entered.
Ask participants what they would do in the first 15 minutes, who they would call and which information they need. Record gaps and assign actions.
Technical recovery tests should verify that data is usable, applications start and access controls work. Time the process and compare it with the stated objectives.
Keep the plan current
Review the document after major system changes, office moves, supplier changes and significant incidents. At minimum, check contacts, roles and critical systems regularly.
Version the plan and record where approved copies are held. Remove obsolete instructions that could send an engineer to the wrong console or lead staff to contact a former supplier.
A practical plan is better than a perfect plan
Begin with the five most important services, realistic recovery targets, named responsibilities and tested backups. Expand the plan as the business learns. A concise document that people have rehearsed is more useful than an impressive binder nobody can find.
Skynet ICT helps organisations improve backup, continuity and recovery through managed IT support for businesses. We work remotely across the UK and onsite through our Kent IT support and wider South East coverage.
If you want to turn informal recovery arrangements into a practical plan, contact Skynet ICT.
