Cybersecurity — DRP & BCP

Disaster recovery and business continuity planning (DRP & BCP)

A disaster recovery plan (DRP) describes how to bring your IT back into service after a major outage, a disaster or a cyberattack; a business continuity plan (BCP) organises how essential functions are kept running during the crisis. We build both with you: recovery objectives (RTO) and acceptable data-loss objectives (RPO), documented procedures, responsibilities and regular exercises. For companies in Paris and Île-de-France, with coverage of remote sites through our regional partners.

What holds you back

The patterns we keep seeing.

01

Nobody knows how long the outage would last

Without defined objectives or written procedures, recovery is improvised in the middle of the crisis: that is when you discover that access is missing, that the restart order is unknown, and that every hour of hesitation costs hours of lost production.

02

Backups that have never been put to the test

The backups run, but no full restore has been tested. On the day of the disaster, you discover missing data, copies encrypted by the ransomware, or a restore time incompatible with the business.

03

A plan that is obsolete or lives in one person's head

The document written years ago no longer matches the information system, and knowledge of the recovery rests on one person. One absence at the wrong moment, and the company stays at a standstill because nobody knows who decides and who acts.

What we cover

The scope of the service.

01 / IMPACT ANALYSIS

Business criticality and recovery objectives

Identify what must come back first, and by when: the impact analysis translates your business priorities into measurable technical objectives, arbitrated with management.

  • Mapping of applications and their dependencies: servers, network, cloud
  • Business impact analysis: critical activities, tolerance to interruption
  • RTO and RPO defined per activity, validated by management
  • Scenarios covered: major outage, site disaster, cyberattack
02 / RECOVERY PLAN

Documented recovery procedures (DRP)

Written, actionable procedures — who does what, in what order, with which access — so nothing is improvised on the day.

  • Restart order for servers and virtualised environments (Hyper-V, VMware, Proxmox)
  • Step-by-step restore procedures from backups
  • Ransomware scenario: copies isolated from the network and restoration to a controlled environment
  • Crisis directory: internal contacts, providers, carriers
  • Responsibility matrix and activation criteria
03 / CONTINUITY

Keeping the business running in degraded mode (BCP)

Organise work while systems are unavailable: workarounds, prioritisation of essential functions and controlled communication.

  • Degraded modes per department: what to keep running, what to suspend
  • Remote work through VPN and Microsoft 365 (Teams, OneDrive, SharePoint) if the site is unavailable
  • Telephony continuity: call forwarding and 3CX softphones depending on your installation
  • Crisis communication: who informs whom, when, through which channel
04 / EXERCISES & UPKEEP

Exercises and keeping the plan operational

A plan that is not exercised loses its value: tests reveal the gaps before a real incident does.

  • Regular restore tests, with a written report
  • Tabletop exercises with the managers concerned
  • Technical cutover exercises on an agreed scope
  • Plan updated in step with significant changes to the information system, according to your service contract
  • Frequency and scope of exercises formalised in your service contract
How we proceed

From scoping to follow-up.

The exact scope, deliverables and timelines are formalised in the proposal, before any commitment.

1
Scoping and impact analysis

Inventory of activities, applications and their technical dependencies; interviews with business managers to assess the concrete impact of an interruption.

2
Definition of objectives

RTO and RPO set activity by activity, weighing the impact of an interruption against the cost of the technical measures. The values retained are validated by your management.

3
Design and drafting of the plans

Recovery architecture, step-by-step documented procedures, responsibility matrix, crisis directory and the degraded modes of the BCP.

4
Initial exercise

Restore test and cutover exercise on an agreed scope; the gaps observed feed a prioritised remediation plan.

5
Ongoing upkeep

Plan revised as the information system evolves, recurring exercises and written reports. Frequency and scope are defined in your service contract.

Frequently asked questions — cybersecurity

The answers describe how the service works. Quantified commitments are formalised in your contract.

The DRP (disaster recovery plan) organises bringing IT back into service after an interruption: data restoration, server restarts, return to normal. The BCP (business continuity plan) aims to keep essential functions running during the crisis, in degraded mode where necessary. The two complement each other: the BCP limits the impact during the interruption, the DRP shortens its duration.
No. Backups are a prerequisite, not a plan: you still need to know where to restore, in what order to restart, who decides and how long the operation will take. A DRP documents these procedures and puts them to the test through regular restore tests — that is what turns copies of data into a genuine recovery capability.
The RTO (Recovery Time Objective) is the maximum interruption time targeted for an activity; the RPO (Recovery Point Objective) is the maximum acceptable age of the restored data. They are defined activity by activity, with the business managers concerned, weighing the impact of an interruption against the cost of the technical measures. The values retained are formalised in your plan and in the specific terms of your contract.
Yes, provided it is designed for that scenario: ransomware can encrypt backups that are reachable online, which requires restoring to a controlled environment after the integrity of the copies has been verified. The plan therefore includes specific provisions: copies isolated from the network, a cautious restoration order, coordination with detection measures such as EDR (Endpoint Detection and Response). This scenario can be covered by dedicated exercises, depending on the agreed scope.
That depends on the objectives defined in your plan: the RTO set for each activity determines the technical measures put in place. We do not publish a generic timeframe: the commitments attached to your plan are formalised in the specific terms of your service contract. The exercises exist precisely to verify that the objectives set remain achievable.
Mainly the objectives retained: the shorter the RTO and RPO, the more substantial the required measures — replication, standby environment, off-site copies. Add to that the number of servers and sites, the complexity of the applications and the frequency of exercises. Scoping serves to adjust these objectives to the real business impact so the setup is not oversized; pricing is then formalised in your contract.
Yes. Scoping starts with an assessment of the existing environment: backups in place, virtualised environments (Hyper-V, VMware, Proxmox), existing documents and procedures. Whatever is usable is kept and integrated into the plan; the gaps — untested copies, obsolete procedures, undefined responsibilities — are addressed through prioritised recommendations.
The plan defines a crisis organisation: who observes, who decides on activation, who executes the technical procedures, who communicates internally and externally. The decision to switch to recovery mode remains the responsibility of your management; we assess the situation and execute the procedures according to the agreed responsibility matrix. The plan and its documentation remain your company's property, in accordance with the terms of your service contract.
A documented, exercised plan meets a frequent expectation of regulations, insurers and client organisations, but no technical measure amounts, on its own, to compliance. Our plans are designed to fit the obligations applicable to your context; the legal qualification of the scope (NIS2, GDPR, sector-specific requirements) remains to be validated with your counsel.

An audit, then a clear plan.

Describe your need in a minute. We come back with an assessment and prioritised next steps.

Business continuity & disaster recovery plans in France | Dalena