The Dutch documentation set lists a.17 Rampen Opvang Plan (Disaster Recovery Plan) as mandatory. In the Declaration of Applicability, I have listed that making an appropriate backup plan is applicable. We have that backup plan in a separate document. Do you still think I should have a disaster recovery plan, or is that more for the business continuity standard?
Answer: Controls from section A.17 requires more than a plan to be fulfilled (e.g., control A.17.1.2 requires processes, procedures and other controls for maintaining adequate level of continuity), so only a backup plan is not going to be enough to the requirements of section A.17 and you must consider the devrlopmrnte of a Disaster Recovery Plan.