Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

ARC Paper 2 Annex 1 IT disaster recovery report

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Paper 2 Annex 1 19 June 2026

Paper 2 Annex 1

wby Cairngorms Nation­al Park Authority

Intern­al Audit 2025 – 26

IT Dis­aster Recov­ery May 2026 Advis­ory Review

Table of contents

Cairngorms Nation­al Park Author­ity IT Dis­aster Recovery

Sec­tionPage
1 EXEC­UT­IVE SUMMARY2
2 ACTION POINTS15
3 OBSER­VA­TIONS33
4 AUDIT ARRANGEMENTS34
5 KEY PERSONNEL35
AppendixPage
A ASSIGN­MENT PLAN38

The mat­ters raised in this report came to our atten­tion dur­ing the course of our audit and are not neces­sar­ily a com­pre­hens­ive state­ment of all weak­nesses that exist or all improve­ments that might be made.

This report has been pre­pared solely for Cairngorms Nation­al Park Authority’s indi­vidu­al use and should not be quoted in whole or in part without pri­or writ­ten con­sent. No respons­ib­il­ity to any third party is accep­ted as the report has not been pre­pared, and is not inten­ded, for any third party.

We emphas­ise that the respons­ib­il­ity for a sound sys­tem of intern­al con­trol rests with man­age­ment and work per­formed by intern­al audit should not be relied upon to identi­fy all sys­tem weak­nesses that may exist. Neither should intern­al audit be relied upon to identi­fy all cir­cum­stances of fraud or irreg­u­lar­ity should there be any although our audit pro­ced­ures are designed so that any mater­i­al irreg­u­lar­ity has a reas­on­able prob­ab­il­ity of dis­cov­ery. Every sound sys­tem of con­trol may not be proof against col­lus­ive fraud. Intern­al audit pro­ced­ures are designed to focus on areas that are con­sidered to be of greatest risk and significance.

wbg 1

1 Exec­ut­ive summary

Cairngorms Nation­al Park Author­ity IT Dis­aster Recovery

Over­view

Pur­pose of review

The pur­pose of this advis­ory review was to assess Cairngorms Nation­al Park Authority’s (the Organisation’s) IT Dis­aster Recov­ery arrange­ments in the con­text of cur­rent hybrid work­ing, cloud-based ser­vices, and recent digit­isa­tion. The review focused on the prac­tic­al effect­ive­ness of recov­ery plan­ning, sup­port­ing doc­u­ment­a­tion, and mit­ig­a­tion meas­ures, provid­ing prag­mat­ic recom­mend­a­tions to strengthen IT resi­li­ence going forward.

This review formed part of our 202526 Intern­al Audit Annu­al Plan.

Scope of review

Our object­ives for this review were to review and advise on the Park Authority’s IT Dis­aster Recov­ery arrange­ments, sup­port­ing the devel­op­ment of pro­por­tion­ate pro­cesses and doc­u­ment­a­tion aligned to its sys­tems, ser­vices, and oper­a­tion­al require­ments. Our object­ives for this review were to assess if:

  • The Organ­isa­tion has a cur­rent and doc­u­mented IT Dis­aster Recov­ery approach appro­pri­ate to its sys­tems, ser­vices, and oper­a­tion­al needs.
  • Roles and respons­ib­il­it­ies for IT recov­ery are clearly defined, com­mu­nic­ated, and under­stood by rel­ev­ant staff.
  • Crit­ic­al IT sys­tems, includ­ing cloud-based SaaS, on premises sys­tems, and spe­cial­ist plat­forms such as Geo­graph­ic inform­a­tion sys­tem (GIS), are iden­ti­fied and included in recov­ery planning.
  • Backup arrange­ments are suf­fi­cient, reli­able, and aligned with oper­a­tion­al require­ments, includ­ing clar­ity over third-party responsibilities.
  • Recov­ery expect­a­tions, includ­ing Recov­ery Time Object­ives and Recov­ery Point Object­ives, are estab­lished and aligned to business

wbg 2

1 Exec­ut­ive summary

Cairngorms Nation­al Park Author­ity IT Dis­aster Recovery

  • pri­or­it­ies.
  • Resi­li­ence and mit­ig­a­tion meas­ures are in place to reduce the like­li­hood and impact of IT ser­vice disruption.
  • Test­ing on recov­ery arrange­ments can be car­ried out in a pro­por­tion­ate and prag­mat­ic way, with les­sons from tests and past incid­ents applied to strengthen plans.
  • IT Dis­aster Recov­ery plan­ning con­siders cyber-related incid­ents, includ­ing the abil­ity to respond to ransom­ware, data cor­rup­tion, or cloud ser­vice dis­rup­tion, and that mit­ig­a­tion and recov­ery meas­ures are appropriate.

We also con­sidered the fol­low­ing areas as part of the review:

  • The organisation’s IT Team’s under­stand­ing of their approach to dis­aster recov­ery, and asso­ci­ated oper­a­tion­al arrange­ments in place, includ­ing arrange­ments shared with Loch Lomond and the Trossachs Nation­al Park Author­ity, and wheth­er there are con­trol gaps in these practices.
  • Wheth­er back-up arrange­ments in place with­in cur­rent oper­a­tions are suf­fi­cient, reli­able, and aligned with oper­a­tion­al require­ments, includ­ing clar­ity over third-party responsibilities.
  • The IT team’s recov­ery expect­a­tions in the event of any loss of systems.
  • The IT team’s under­stand­ing of resi­li­ence and mit­ig­a­tion meas­ures in place or planned to mit­ig­ate the impacts of any ser­vice disruption.
  • The Organisation’s cur­rent approach and con­trols regard­ing cyber security.
  • The extent to which the Organ­isa­tion has developed a writ­ten IT Dis­aster Recov­ery approach doc­u­ment­ing these operational

wbg 3

1 Exec­ut­ive summary

Cairngorms Nation­al Park Author­ity IT Dis­aster Recovery

arrange­ments.

Lim­it­a­tion of scope There was no lim­it­a­tion of scope.

wbg 4

1 Exec­ut­ive summary

Cairngorms Nation­al Park Author­ity IT Dis­aster Recovery

Back­ground

Back­ground and Context

The Organ­isa­tion com­mis­sioned this advis­ory review to con­sider its IT Dis­aster Recov­ery arrange­ments in the con­text of increas­ing reli­ance on cloud-based ser­vices, hybrid work­ing prac­tices, and con­tin­ued organ­isa­tion­al growth. The review formed part of the 202526 Intern­al Audit Plan and was designed to sup­port the devel­op­ment of pro­por­tion­ate and prac­tic­al IT recovery