Annual Disaster Recovery testing — end-to-end in Talarity

Almost every framework that touches your security or resilience program expects you to test your disaster recovery and business continuity plans on a regular cadence — not just write them. SOC 2 calls it out in CC9.1, ISO 27001:2022 lays it down in A.5.30 (ICT readiness for business continuity), and FFIEC’s Business Continuity Management booklet dedicates an entire section to it. Auditors want to see the test happened, who participated, what evidence each participant produced, and what got signed off at the end.

Most teams handle this once a year with email threads, a shared drive, and a frantic week of chasing partners. Talarity treats it as a recurring, structured workflow — the same primitives that drive your assessments, attestations, and security questionnaires.

Who’s involved

Coordinator — designs the questionnaire, schedules the campaign, attaches the DR runbook, and certifies the final report.
Internal tester — owns one or more recovery components. Answers questions, attaches evidence (logs, screenshots, post-test reports).
External partner / guest — cloud vendor, MSSP, or hot-site provider who has a piece of your recovery. Gets a real Talarity guest account scoped only to their task.
Reviewer — compliance lead or BCM champion who signs the final attestation alongside the campaign owner.

Step 1 — Build the DR question template

The Form Builder at /app/form-templates is where every recurring questionnaire in Talarity is authored. Pick the DR Exercise category and add the questions you want every tester to answer. Eleven response types are available — yes/no, single or multiple choice, free text, file upload, signature, and more. Mark the ones that require evidence, and the platform will block submission until a file is attached.

Form Builder showing the DR Test Annual Tabletop template with five question types.

Tip: One template can power any number of campaigns. Build it once for your annual program and reuse it for tabletops, post-incident reviews, and partner attestations.

Step 2 — Schedule the recurring campaign

Open /app/tasks, click + New Task, and configure the campaign in a single screen:

Title and description for what testers will see (“2026 Annual DR Test”).
The DR template you just built.
The recurrence pattern — Yearly on April 15, for example. Talarity handles weekend shifts and quarter-end conventions automatically.
Recipients — mix internal email addresses, an entire linked-account org, and external partners on the same line.

+ New Task modal with title, recurrence, recipients, and template configured.

Attach your DR procedures, runbooks, and reference materials

This is the part most teams under-use. Expand the Distribution & guest access section and attach every reference document a tester needs to do the work — the DR plan PDF, recovery runbooks, escalation/contact lists, system architecture diagrams, last year’s after-action report, vendor failover procedures, anything your testers should be reading before they answer a question.

Every recipient — internal or external — sees the full file list as downloadable attachments on their task page. Same files, same checksum-deduped distribution snapshot, no separate “here’s the runbook” emails. Auditors love this because the report later cites the exact files that were in force during the test, not “the latest copy on SharePoint.”

In the same section you can also set a custom message that ships in every assignment email, lock down upload retention (7 years for SOC 2 / FFIEC), and turn on automatic guest-account provisioning for external recipients — the magic toggle for partner participation. When it’s on, external email addresses get a real Firebase guest login scoped only to their task — no shared inboxes, no token URLs forwarded around.

Distribution & guest access section with DR plan and runbooks attached, retention 2555 days, guest provisioning on.

Once it’s saved

The rule lands on /app/task-recurring with a green ACTIVE pill and the next-fire date. Talarity’s scheduler checks for due rules every fifteen minutes, so when April 15 rolls around, the campaign fans out automatically.

Recurring tasks list showing the new annual DR test rule.

Step 3 — Trigger the run (manually or automatically)

You don’t have to wait for the scheduler the first time. Click Fire Now on any rule and Talarity creates the campaign, generates per-recipient work items, and sends every invitation email immediately.

Fire Now confirmation dialog.

Whether you fire it manually or it auto-fires, the campaign appears in /app/task-campaigns with one row per recipient and live-updating progress.

Campaign detail view immediately after fire showing pending recipients.

Step 4 — Recipients receive and respond

Internal users see the task in their dashboard the next time they log in. They open it, download the DR plan, answer the questionnaire, and upload evidence directly against the questions that require it.

Internal user's work-item view with the DR plan and form questions.

For every external email on the recipient list, Talarity creates a guest Firebase user, scopes them to only their task, and emails them their credentials with a single-click login. The guest experience is identical to an internal tester’s — same template, same evidence requirements, same distribution files. Just a smaller scope.

Guest user's task page with distribution files and form.

Guest user uploading evidence to a file-upload question.

Step 5 — Coordinator monitors progress

The campaign detail view is the coordinator’s dashboard for the run. Status pills, evidence counts, first-viewed timestamps, and submission times are all live. Send batched reminders to anyone still pending, export a CSV for offline analysis, or close the campaign when the window ends.

Campaign detail with View Report button after finalize.

Step 6 — Generate the attestation report

When the window closes (or the coordinator decides to close it manually), Talarity automatically drafts the attestation report. A Generate Report button on the campaign page lets you draft it on demand at any point, too.

The draft lands in the Capstone Library — the same queue that holds your audit reports, governance packages, and SEC filings.

Capstone Library entry showing the new draft attestation.

What the report contains

The finalized PDF is structured for auditors and stakeholders alike:

Cover & engagement scope — org name, campaign title, period, generated/finalized timestamps, recurrence rule, dispatcher.
Distribution package — the DR plan and any other files that went out with the campaign.
Aggregate stats — total recipients, completion rate, mean response time, evidence count, overdue / rejected counters.
Recipient roster — one row per tester (name, email, internal/cross-org/guest classification, status, first viewed, submitted).
Per-tester evidence matrix — for every respondent: the questions they answered, the responses they gave, and a deep link to every artifact they uploaded.
Compliance citations — SOC 2 CC9.1, ISO 27001:2022 A.5.28/5.29/5.30, NIST CSF 2.0 RC.RP-1, NIST SP 800-34 §3.5, plus FFIEC / HIPAA / PCI when relevant.
Sign-offs — campaign owner and a second compliance signer, resolved through Talarity’s responsibility ledger.

Finalized attestation report cover page.

The watermark switches from DRAFT to FINAL on finalize, and seven-year retention is locked in.

What you walk away with

One recurring rule that fires every year on the date you chose — no calendar reminders, no spreadsheets.
One campaign per occurrence, with one work item per recipient and a complete activity ledger.
Per-question evidence from every internal owner and every external partner, stored in the same repository as your other audit artifacts.
A finalized PDF report with seven-year retention, watermarked, signed, and citation-mapped.
A full audit trail — who fired the campaign, who viewed each task, who submitted what, who signed the report, and when.

Run yours this year. Open Talarity, head to /app/tasks, and click + New Task. The first one takes about ten minutes; every year after that takes zero.