While no business hopes to need it, a disaster recovery plan is crucial to ensuring a company’s digital health—especially in the worst of circumstances. While some businesses keep their disaster recovery planning and operations in-house, others choose to outsource it. A disaster recovery as a service provider can manage a difficult, and ever-changing, task for companies not equipped to handle it themselves or free up valuable time and energy for any organization looking to protect its assets.

As is the case with any other outsourced provider, company leadership must conduct the appropriate research to ensure the vendor is a good fit and qualified to provide the level of service needed. If you’re in the process of vetting DRaaS vendors, make sure to ask these 11 essential questions shared by the members of Forbes Technology Council.

1. ‘Do you back up entire environments?’

With the increased number of ransomware attacks, it is important for a DRaaS provider to back up customer application environment configurations, dependencies and images as well as data. That way, they can recover entire environments rapidly from any cyber disasters. – Govind Rangasamy, Appranix

2. ‘Does your hardware configuration align with our company’s?’

A company’s business continuity plan should contain a disaster recovery plan. If the intent is to outsource DR, then I would check whether the DRaaS team has the right skills and hardware configurations—ones that are in alignment with the company’s configurations. Then, I would ask if they are able to work with the team to do tabletop testing to prove business continuity and remediate any risk. – Shiboo Varughese, CirrusLabs.io

3. ‘What is your view on automation?’

I would ask what their view is on automation and automatic detection of disaster situations. Do they have the mindset to reduce manual operations and systems to give observability into the situation? It is important to be proactive and watchful and detect situations beforehand if possible. – Kaitki Agarwal, A5G Networks, Inc.

4. ‘How do you manage oversubscription and platform headroom?’

DRaaS allows IT professionals to fail-safe business-critical data and applications. In looking for a DRaaS provider, always ask how they manage oversubscription and manage the headroom on the platform. Do they plan or manage for an event where all customers have to declare an event, or do they assume some subset? How do they help customers understand this critical process? – Jason Carolan, Flexential

5. ‘What’s recovered in your stated RTO time frame?’

Many DRaaS vendors will proclaim recovery time objectives in minutes. Have them explain what is recovered in that time frame. Your entire environment? A single server? Is it end-user-verified and ready for use? Disaster recovery is complex and must cover multiple scenarios and use cases; there is no “Easy” button. – Jeffrey Ton, InterVision

6. ‘Can you share examples of real-life experiences?’

Ask them about their real-life experiences. Disaster recovery is not about structured documents but about dealing with disasters when they happen. Real-life examples will show how quickly the DRaaS vendor reacted to the situation and whether they followed the plan, were creative in solving a problem and figured out workarounds to keep the business running. And if you can, ask for references from actual clients. – Nadya Knysh, a1qa

7. ‘What scenarios are you prepared for?’

Ask them what scenarios they are prepared for. It is impossible to list all disasters that can happen. But the more scenarios one is prepared for, the higher the probability of a quicker recovery when the “stuff” hits the fan. Also, if they are prepared for a higher number of scenarios, it shows that they are better prepared for a new scenario, as compared to someone with a smaller number. – Vikram Joshi, pulsd

8. ‘Do your services include zero-knowledge encryption?’

Security would be your No. 1 question. Often, the need for disaster recovery involves the idea that your business, its intellectual property and its compliance need to be brought back up and working. If there’s a third party involved, does it involve zero-knowledge encryption? What would prevent someone on the third-party side from leaking and/or decrypting the information? – WaiJe Coler, InfoTracer

9. ‘When and how often will disaster recovery be simulated and practiced?’

It is crucial to ask this simple, but important, question: When and how often will disaster recovery be simulated and practiced? Every organization that takes this seriously implements practice scenarios on a regular basis, learns from them and improves. – Markus Bernhardt, OBRIZUM

10. ‘Do we lose security controls in a DR state?’

When vetting disaster recovery vendors, the No. 1 question to ask is: Do we lose any security controls when operating in a disaster recovery state? That is, if our organization is forced to failover, are we still able to operate as securely as we do during regular business operations? Do we risk operating in a non-compliant state? For sensitive business operations, security cannot lapse due to an emergency. – Mike Lefebvre, SEI

11. ‘What geographic options do you have?’

There are many types of potential disasters, including natural ones (think earthquakes, hurricanes, tornadoes and so on) and human-caused ones (accidents, wars, terrorist attacks and so on). It’s important to have physical recovery sites outside those regions affected by a disaster, so geographic options can be important. – Blair Currie, Snibble Corp.