Moving to a new office is an exciting milestone for any UK business. Whether you are relocating from a cramped serviced office in Shoreditch to a purpose-built space in Canary Wharf, or expanding from a single site in Leeds to a second location in Sheffield, the move represents growth, ambition, and new possibilities. Yet amidst the excitement of choosing furniture, planning desk layouts, and announcing the new address, one critical element is frequently overlooked: disaster recovery planning.
A disaster recovery plan is your organisation's documented strategy for responding to events that disrupt your IT systems and operations. These events range from the dramatic — fire, flood, ransomware attacks — to the mundane but equally disruptive, such as a failed server, a severed internet connection, or an extended power outage. Without a robust disaster recovery plan tailored to your new office environment, even a minor incident can escalate into a business-threatening crisis.
This guide walks you through every step of building a comprehensive disaster recovery plan specifically designed for a new office. It covers risk assessment, infrastructure design, backup strategies, communication protocols, testing procedures, and the ongoing maintenance required to keep your plan effective as your business evolves.
Why a New Office Demands a New Disaster Recovery Plan
Even if you had a disaster recovery plan at your previous location, you cannot simply transfer it to the new office unchanged. Every office environment has unique characteristics that affect your risk profile and recovery capabilities. The building's physical infrastructure, the local utilities, the network connectivity options, the proximity to emergency services, the fire suppression systems, the access control arrangements — all of these factors differ between locations and must be assessed individually.
A new office also presents an opportunity to address weaknesses in your previous disaster recovery arrangements. Perhaps your old office lacked redundant internet connectivity, or the server room had no environmental monitoring, or your backup tapes were stored in the same building as the servers they were backing up. The move is your chance to design disaster recovery into the infrastructure from the start, rather than retrofitting it onto an existing setup.
The National Cyber Security Centre (NCSC) recommends that UK organisations develop their disaster recovery and business continuity plans before relocating, not after. Planning during the office design phase allows you to incorporate resilience measures into the building infrastructure — such as redundant power, fire-resistant server rooms, and diverse network paths — at a fraction of the cost of adding them later. The NCSC's guidance on business continuity planning provides a solid framework that complements the office-specific steps outlined in this guide.
Step 1: Conduct a Business Impact Analysis
Before designing your disaster recovery plan, you must understand what you are protecting and why. A business impact analysis (BIA) identifies your critical systems, quantifies the impact of their unavailability, and establishes the recovery priorities that will guide every subsequent decision.
Start by cataloguing every IT system and service your business relies on. This includes email, file storage, line-of-business applications, accounting software, CRM systems, telephony, internet connectivity, printing, and any specialist tools unique to your industry. For each system, document who uses it, what business processes depend on it, and what happens when it becomes unavailable.
Next, assign two critical metrics to each system: the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). The RTO defines the maximum acceptable downtime — how long can the business survive without this system before suffering serious harm? The RPO defines the maximum acceptable data loss — if we have to restore from backup, how much data can we afford to lose?
| System | Users | RTO | RPO | Priority |
|---|---|---|---|---|
| Email (Microsoft 365) | All staff | 1 hour | 0 (cloud-based) | Critical |
| ERP / Accounting | Finance, Ops | 4 hours | 1 hour | Critical |
| CRM System | Sales, Support | 4 hours | 1 hour | High |
| File Storage | All staff | 2 hours | 15 minutes | Critical |
| Telephony / VoIP | All staff | 1 hour | N/A | High |
| Printing | All staff | 24 hours | N/A | Low |
| Internet Connectivity | All staff | 30 minutes | N/A | Critical |
Step 2: Assess Risks Specific to Your New Office
Every office location carries a unique set of risks. Your disaster recovery plan must account for the specific threats your new premises face, rather than relying on generic assumptions. Conduct a thorough risk assessment that covers natural hazards, infrastructure risks, security threats, and environmental factors.
Begin with the physical location. Is the office in a flood risk zone? The Environment Agency's flood risk maps can tell you instantly whether your new address is at risk from river or surface water flooding. Many UK businesses have discovered too late that their ground-floor server room sits in a high-risk flood area. Is the building near a river, canal, or coastal area? What floor is your office on, and where will your server equipment be located?
Examine the building's infrastructure. What type of fire suppression system is installed? Is there a backup power supply, such as a generator or uninterruptible power supply (UPS)? What is the building's power supply arrangement — single feed or dual feed? Is there a history of power outages in the area? What are the building's access control arrangements, and how do they affect your ability to reach your equipment during an emergency?
Consider connectivity risks. How many internet service providers serve the building? Is there access to diverse physical paths — for example, fibre from two different exchanges entering the building via different routes? A single point of failure in your internet connectivity can render your entire office inoperable, particularly if you rely on cloud services.
Step 3: Design Your Backup Strategy
Your backup strategy is the cornerstone of disaster recovery. Without reliable, tested, and properly managed backups, recovery from any serious incident becomes impossible. For a new office, you have the opportunity to implement a backup architecture that meets your RPO requirements from day one.
The gold standard for backup in 2026 is the 3-2-1-1 rule: maintain at least three copies of your data, stored on at least two different types of media, with at least one copy stored off-site and one copy stored offline or in an immutable format. This final element — the immutable or offline copy — has become essential in the age of ransomware, where attackers specifically target backup systems to prevent recovery.
For UK businesses moving to a new office, consider the following backup architecture: local backups to a network-attached storage device or dedicated backup server in your office, replicated to a UK-based cloud backup service for off-site protection, with periodic immutable snapshots that cannot be modified or deleted even by an administrator. This approach provides fast local recovery for minor incidents, cloud-based recovery for site-wide disasters, and ransomware-proof immutable copies as a last line of defence.
Strong Backup Strategy
- 3-2-1-1 rule fully implemented
- Automated backup schedules with monitoring
- UK-based cloud replication for GDPR compliance
- Immutable snapshots for ransomware protection
- Regular restore testing (monthly minimum)
- Backup encryption in transit and at rest
- Documented recovery procedures for each system
- Backup monitoring with automated failure alerts
Weak Backup Strategy
- Single backup copy in the same building
- Manual backup processes prone to human error
- No off-site or cloud replication
- No protection against ransomware encryption
- Backups never tested or verified
- No encryption on backup data
- Recovery procedures undocumented
- No monitoring — failures go unnoticed for weeks
Step 4: Build Redundancy into Your Infrastructure
A disaster recovery plan should not only address how to recover from failures but also how to prevent them from causing downtime in the first place. Building redundancy into your new office infrastructure reduces the likelihood that any single failure will disrupt your operations.
Start with internet connectivity. Every UK business office should have at least two independent internet connections from different providers, ideally using different technologies (for example, one leased line and one FTTP connection) entering the building via different physical routes. Configure your firewall for automatic failover so that if one connection drops, traffic seamlessly switches to the other without user intervention.
Consider power redundancy. Install an uninterruptible power supply (UPS) for your critical infrastructure — servers, switches, firewalls, and access points. A UPS provides battery backup during brief power outages and clean shutdown time during extended outages. For businesses with on-premises servers, a UPS with 30 to 60 minutes of runtime gives you enough time to either ride out a brief outage or gracefully shut down systems to prevent data corruption.
For network infrastructure, deploy redundant switches and access points to eliminate single points of failure. If a single switch failure could disconnect an entire floor of your new office, you need additional switches configured for failover. Similarly, ensure your Wi-Fi coverage includes overlapping access point zones so that the failure of any one access point does not create a dead zone.
Step 5: Define Your Communication Plan
When disaster strikes, clear communication is as important as technical recovery. Your disaster recovery plan must include a detailed communication protocol that defines who needs to be informed, in what order, through which channels, and with what information.
Identify your key stakeholders: the internal disaster recovery team, senior management, affected staff, customers, suppliers, your IT support provider, your internet service provider, and — if personal data may have been compromised — the Information Commissioner's Office (ICO). Under GDPR, you have 72 hours from becoming aware of a personal data breach to report it to the ICO, so your communication plan must include this regulatory requirement.
Establish communication channels that do not depend on your office infrastructure. If your office is inaccessible or your internet is down, you cannot rely on office email or desk phones to coordinate your response. Ensure your disaster recovery team has access to mobile phones, a messaging application such as Microsoft Teams or WhatsApp (accessed via mobile data), and a pre-agreed meeting point or video call link for crisis coordination.
Step 6: Document Everything
A disaster recovery plan that exists only in someone's head is not a plan at all. Every element of your disaster recovery strategy must be documented in a clear, accessible format that any authorised person can follow under pressure. Remember that the person executing the plan during a crisis may not be the same person who wrote it, and they may be working under extreme stress with limited resources.
Your documentation should include a contact list for all key personnel and vendors, step-by-step recovery procedures for each critical system, network diagrams and configuration details for your new office, login credentials stored securely in a password manager or sealed envelope, backup locations and access procedures, communication templates for staff and customer notifications, and a decision tree for escalation based on the severity of the incident.
Store copies of the plan in multiple locations: a digital copy in your cloud storage, a printed copy in the office (in a fireproof safe), and a digital copy accessible remotely by the disaster recovery team. Ensure the plan is reviewed and updated at least quarterly, or whenever a significant change occurs in your infrastructure.
Step 7: Test Your Plan Before You Move In
An untested disaster recovery plan is a hope, not a strategy. Before your team moves into the new office, conduct at least a tabletop exercise — and ideally a full simulation — to verify that your plan works in practice. Testing reveals gaps, incorrect assumptions, and procedural weaknesses that are invisible on paper.
A tabletop exercise involves gathering your disaster recovery team around a table and walking through a hypothetical scenario step by step. For example: "It is 9 AM on a Tuesday. A ransomware attack has encrypted all files on the server and the attacker is demanding £50,000 in Bitcoin. The attack appears to have originated from a phishing email received yesterday. Walk me through what happens next." Each team member describes their actions, and the facilitator identifies gaps and conflicts in the responses.
A full simulation goes further by actually executing recovery procedures. Restore a server from backup. Switch to the secondary internet connection. Activate the emergency communication plan. Measure how long each step takes and compare it to your RTO targets. Document every issue encountered and update the plan accordingly.
Under GDPR Article 32, UK organisations are legally required to implement "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident." This means that disaster recovery is not merely a best practice — it is a legal obligation for any business that processes personal data. The ICO has the power to fine organisations up to £17.5 million or 4% of annual global turnover for failures in data protection, and inadequate disaster recovery arrangements can contribute to enforcement action following a data breach.
Ongoing Maintenance and Review
A disaster recovery plan is a living document, not a one-time project. After moving into your new office, establish a regular review cycle to keep the plan current and effective. Schedule quarterly reviews to check for changes in your IT environment, such as new systems, new staff, or changes to your network architecture. Conduct annual full tests to verify recovery capabilities. Update contact information whenever staff changes occur. Review and update vendor contracts to ensure they align with your recovery requirements.
As your business grows and evolves in the new office, your disaster recovery plan must evolve with it. New systems, new integrations, new compliance requirements, and new threats all demand updates to your recovery strategy. The effort invested in maintaining your plan pays for itself many times over the first time you need to use it.
Need Help Building Your Disaster Recovery Plan?
Cloudswitched helps UK businesses design, implement, and test disaster recovery plans tailored to their specific environments and risk profiles. Whether you are moving to a new office or strengthening your existing arrangements, our team can ensure your business is prepared for whatever comes next.
Speak to Our Team
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.