Are CDs considered acceptable disaster recovery media?
Are CDs considered disaster recovery media? Will they pass the auditor test?
In my experience, auditors are concerned with the type of media you are using for backups only under particular circumstances. For example, when you must demonstrate that the media is unalterable and cannot be overwritten or erased (such as WORM or write-once CDs) to satisfy regulatory compliance, the choice of media becomes critical.
In most cases however, the backup and archive procedures are what auditors are more interested in. You must demonstrate that you have controls in place to ensure that: Backups are successful; copies are sent to a safe alternate location; the appropriate data is being backed up; backup data retention meets specific business and legal requirements, and that records can be recovered when needed among other things.
This was first published in January 2005