ISO 27001AuditDR

ISO 27001 audits and DR: what auditors actually ask

Three things: a DR plan, evidence of drills, change tracking. Everything else is garnish.

2 min read

TL;DR

In an ISO 27001 audit on the continuity cluster, auditors look for three things: written DR plan, drill evidence and change tracking. Everything else is garnish.

The three core pieces of evidence

1. Written and signed DR plan

A 10-30 page document that includes:

  • scope and objectives (RTO, RPO per process);
  • roles and responsibilities (who does what);
  • plan activation procedure;
  • technical runbooks for each critical service;
  • internal and external communication procedures;
  • references to external vendors and SLAs.

Signed by management. Dated within the last 12 months.

2. Drill evidence

At least one drill executed within the last 12 months, documented with:

  • date and duration;
  • scenario;
  • participants;
  • measured times (real RTO);
  • discrepancies found;
  • corrective actions open/closed.

The auditor will check that open corrective actions have a reasonable closing date.

3. Change tracking

Plan versioning. Every change must have:

  • date;
  • author;
  • reason (e.g. "added CRM system after 15/03 deploy");
  • approval.

Without a change log, the auditor suspects the plan was written the night before.

Typical audit question order

The auditor follows this sequence:

  1. "Can I see the DR plan?"
  2. "When was it approved?"
  3. "Can I see the report of the last drill?"
  4. "Are the corrective actions from the drill closed?"
  5. "Can I see the last 12 months of the change log?"

Five questions, 30 minutes. Missing answers = NC.

How to prepare 30 days ahead

  • update the plan (even with minor changes — evidence is enough);
  • run a documented partial drill;
  • close corrective actions open for more than 6 months;
  • prepare a single "Evidence pack" PDF with everything.

FAQ

Should the plan be in Italian or English?

According to audit language. For TÜV / DNV / Bureau Veritas Italy audits, Italian. For international audits, English.

Can I use a plan provided by the DR vendor?

Yes as a base, but it must be customised and signed by your management.

How long does the continuity cluster audit last?

5-8 hours for an initial-certification stage 2. 3-5 hours for annual surveillance audits.

For the complete guide, ISO 27001:2022 and continuity. For the new control, Annex A.5.30.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo