DR audit evidence checklist for on-premises data centers

Inventory and topology

Examiners trace findings to source evidence. Inventory that cannot be tied to read-only captures from vCenter, network controllers, or storage APIs is difficult to defend under follow-up questions.

• Validated inventory of VMs, hypervisor hosts, network devices, and storage arrays
• L2 and L3 network topology derived from management-plane capture — not hand-drawn diagrams
• Cross-tier dependency map validated end-to-end before publish
• Production vs non-production labeling with documented ownership where required for scope
• Partial coverage explicitly labeled when vendor mix exceeds current capture support

Recovery objectives and gap analysis

• RTO and RPO documented per workload or tier — aligned with business impact analysis
• RTO/RPO matrix compared against validated recovery posture
• Prioritized DR gap analysis with remediation ordering
• Gaps linked to specific estate evidence — not generic best-practice boilerplate

Recovery runbooks and procedures

• Runbooks ordered by the dependency map — upstream dependencies recovered first
• Procedures reference current hostnames, volumes, and network paths
• Runbooks updated from capture — not copied forward from the last migration project
• Critical service context documented by operations teams where capture shows topology only

Test and validation evidence

A success log for backup upload does not prove data is readable. Auditors increasingly request restore-test evidence, not scheduler screenshots alone.

• Backup restoration tests with timestamps inside the examination window
• Failover or DR drill results — expected vs actual recovery time
• Corrective actions documented when tests miss RTO/RPO targets
• Validation logs for cross-tier dependency checks

Compliance mapping

• Per-framework gap analysis (FFIEC BCM, SOC 2 CC9, SOX ITGC, HIPAA, HHS 405(d) as applicable)
• Cross-framework index for overlapping controls
• Findings mapped to witness-bundle evidence pointers
• Board-ready executive summary for audit committee review

Before the auditor arrives: sponsor checklist

Sponsors who wait until the request letter arrives often compress remediation and evidence production into the same calendar. Starting discovery and capture earlier separates “know what is wrong” from “prove what is true under deadline pressure.”

• Confirm scope — which data centers, frameworks, and systems are in the examination
• Identify known stale artifacts — runbooks, diagrams, CMDB exports operations already distrust
• Align operations and compliance on capture windows and read-only access approvals
• Reserve committee time to review executive summary and high-severity gaps
• Plan remediation owners for gaps that must close before sampling — not after findings

Common gaps this checklist surfaces

Teams score well on policy and program evidence — BCP approval dates, committee minutes, annual training — and poorly on technical traceability. The checklist above weights inventory, topology, runbooks, tests, and compliance mapping because those are what infrastructure sampling targets.

When multiple frameworks apply, use the cross-framework index to avoid duplicating work. The same capture-backed inventory supports FFIEC BCM, SOC 2 CC9, and SOX ITGC subset mapping when findings link to witness-bundle pointers instead of duplicate spreadsheet tabs.

Framework mapping from the same checklist

The checklist sections above map directly to MKDC deliverables: inventory and topology from capture, recovery objectives from your BIA cross-checked in gap analysis, runbooks ordered by dependencies, test evidence you provide or we help structure follow-ups for, and compliance mapping in the automated reports.

Sponsors reviewing HIPAA or HHS 405(d) cycles can use the same checklist — subset mapping in the SOW determines which control catalogs appear in the compliance report. Full catalogs are not implied when a subset is scoped.

Ownership and RACI for checklist items

Checklist failures often trace to unclear ownership — compliance owns the binder, operations owns production, no one owns whether the two match. Capture-backed deliverables give each role a shared reference date.

• Operations: inventory accuracy, runbook walkthroughs, restore and failover test execution
• IT compliance: framework mapping, evidence packaging for external auditors
• Internal audit: re-performance of evidence trails before committee presentation
• CISO / Head of Risk: sponsor sign-off, remediation prioritization for high-severity gaps
• Audit committee: oversight questions — not line-by-line runbook authorship

How MKDC addresses this checklist

Read-only API capture from management planes produces the inventory, topology, dependency map, RTO/RPO matrix and prioritized DR gap analysis, recovery runbooks, and automated compliance reports with per-framework gap analysis in one fixed-fee engagement, fixed fee · 4–6 weeks. operations teams add business context through guided follow-ups. Deliverables include reproducible witness bundle — any third party can re-derive every conclusion.

Use this checklist as a scoring rubric before sponsor sign-off: if more than two inventory or runbook items cannot be tied to capture-backed evidence, treat that as pre-examination risk — not a formatting problem to fix the week before sampling.

Share the checklist with operations and compliance together — DR audit failures usually appear when those teams optimize for different artifacts (tickets vs policy) and no one owns technical traceability.

Score each section before sponsor sign-off. Weak inventory and topology scores predict runbook and test failures later — fix capture-backed evidence first, then schedule restore tests against the validated dependency map.

Keep a versioned copy of the checklist responses each cycle. Committees ask what changed since the last review — dated capture artifacts answer that question better than email threads.