Year End IT Shutdown Checklist & Disaster Recovery

2025-11-21 21:36:32

A practical, comprehensive guide for preparing your IT environment for year-end closures, skeleton staffing, load-shedding, and increased cyber risk.

South African businesses face a unique end-of-year pattern: extended office closures, reduced staffing, supplier shutdowns, unstable power conditions, and a seasonal rise in opportunistic cyber activity. A structured year-end IT plan protects your environment, reduces incident risk, and ensures your team can recover quickly if something fails while the business is closed.

This checklist provides a clear, repeatable approach to year-end change freeze control, change control, access hardening, backup validation, disaster recovery (DR) testing, on-call readiness, and safe return-to-service when operations resume in January. Use your business continuity plan (BCP) as the baseline so the shutdown aligns with your broader continuity and recovery strategy.

As you work through each section, reference your existing documentation. Any gaps you identify should be logged and assigned for Week 1 in January; early ownership prevents high-pressure firefighting later.

How to Use This Checklist

Each section includes:

  • What to do
  • Why it matters in December
  • How to verify it’s complete

If something can’t be done before shutdown, create a tracked action with an owner and deadline.

Scope

Identify:

  • Systems that must remain available
  • Systems that may pause
  • Services that can be safely stopped during closure

Record any compliance or contractual obligations that mandate minimum service levels.

End-of-year outcomes

A complete plan will give you:

  • A stable and enforced change freeze
  • Hardened remote access
  • Validated backups and a proven DR restore
  • A clear on-call and escalation plan
  • Evidence stored centrally
  • A safe, predictable start-up plan for January

 

Your Detailed Checklist 

1. Your Year-End Operating Plan

Define how IT will run while the business is closed.

What to decide and document

  • Operating state:

Which systems continue running (payments, core apps, VPN, websites), and which can pause?

  • Monitoring:

Confirm health checks, alert thresholds, alert routing, and who receives notifications during closure.

  • Vendor availability:

Document vendor holiday windows, escalation numbers, and after-hours support procedures.

  • Communication timeline:

When staff and clients are notified, what they are told, and the channel used (email, intranet, SMS).

  • Evidence storage:

Where sign-offs, restore test results, approvals, and operational notes will be stored.

Use your business continuity plan to align minimum service levels with recovery capabilities.

Outcome

A single, shareable page summarising what continues, what stops, and who reacts during the shutdown.

2. IT Change Freeze (When and How to Apply It)

A change freeze reduces outage risk during high-risk periods and limited-staff windows.

Document the freeze clearly

  • Window: start and end dates, systems included
  • Allowed exceptions: emergency patches, critical break-fixes, and compliance-driven changes.
  • Approval path: who signs off exceptions, and under what conditions.
  • Pipelines: lock CI/CD jobs and release branches; require approvals to deploy
  • Audit trail: log all decisions in your ticketing system

Outcome

Stability over speed. Fewer surprises, fewer incidents, and reduced risk while teams are thin.

3. Disaster Recovery: Prove You Can Restore

Backups are not enough; you must prove you can restore successfully before shutdown.

Run a real restore test

Select a tier-1 workload (critical app or database) and restore it to an isolated, clean environment.

Steps:

  1. Confirm last backup success and available capacity
  2. Restore the workload to a test environment
  3. Validate:
  • Application start-up
  • Dependencies
  • Data integrity
  • Identity and access
  1. Measure recovery time and compare it to your RTO
  2. Document any blockers
  3. Capture evidence: screenshots, logs, timestamps
  4. Update the DR runbook accordingly
  5. Obtain the service owner's sign-off

Outcome

Proof that your environment can be restored, with accurate recovery time expectations during the break.

Read more: Data Storage Solutions and Compliance for South African SMEs

4. Backup and Restore Procedure

Create a short, repeatable restore procedure for all critical systems.

Include

  • Pre-checks (backup success, destination capacity)
  • Restore steps
  • Validation checks
  • Pass/fail criteria
  • Sign-off procedure
  • Link to the detailed runbook for new team members

5. RTO vs RPO: Set Realistic Targets

  • RTO (Recovery Time Objective): How long it takes to restore service.
  • RPO (Recovery Point Objective): How much data you can afford to lose.

Example table:

Service

RTO

RPO

Finance ERP

4h

30m

CRM

2h

15m

Website

1h

15m
 

If your restore exceeds RTO or your backup age exceeds RPO limits, create a corrective action for January.

Outcome

Decision-making grounded in realistic recoverability, not assumptions.

Read More: Effective Data Backup Strategies for Ensuring Data Integrity & Recovery 

6. Office Closure IT Checklist: Devices, Network & Premises

Before Closure:

  • Endpoints:
    • Shut down non-essential laptops/desktops
    • Ensure full-disk encryption
    • Confirm device check-ins and policies are up to date
  • Printers & MFPs:
    • Clear print queues
    • Lock admin panels
    • Confirm data retention settings
    • Power down non-essential devices
  • Network & Wi-Fi:
    • Keep core switching stable
    • Document any intentional port shutdowns
    • Check AP power budgets
  • Server room:
    • Validate access control
    • Ensure CCTV coverage and retention
    • Verify environmental monitoring and alerting

Outcome

A predictable, stable environment with minimal start-up surprises.

7. Secure Remote Access & Identity Hardening

Skeleton staffing increases identity risk. Strengthen controls before closing the office.

Hardening Measures

  • Enforce MFA for all remote and privileged accounts
  • Review VPN groups; remove stale or excessive access
  • Tighten split-tunnel rules
  • Rotate shared secrets, service accounts and API keys
  • Reduce privilege for accounts not needed over the break
  • Elevate logging for sign-in anomalies and endpoint detections
  • Test alert routing to the on-call team
  • Strengthen email impersonation and external-sender warnings

Outcome

Reduced attack surface and improved visibility during a high-risk period.

8. On-Call Roster, Escalation Paths & Vendor Standby

Incidents still happen during holidays. Publish a one-page escalation plan visible to all teams.

Include:

  • People: on-call staff, backup contacts, mobile numbers
  • Severity rules: who leads P1 vs P2, expected response times
  • Decision rights: who may declare a disaster or approve emergency spending
  • Vendor escalation details: after-hours PINs, contract numbers, support windows
  • Templates: customer communication, internal notifications, media holding statement

Outcome

Fast, clear, predictable escalation with no “who do I call?” delays.

9. Incident Response Contacts (Test Before Leaving)

Maintain a contact sheet stored:

  • In your ticketing tool
  • As a PDF in an offline-capable location
  • In a secure shared folder

Test every number before shutdown.

10. Year-End Maintenance (During the Freeze)

A freeze reduces risk, but essential maintenance continues.

Safe to Perform

  • Emergency security patches with known exploitation
  • Certificate renewals expiring during closure
  • Cleaning job queues and clearing stuck tasks
  • Monitoring and alerting validation
  • Adjusting log retention for the longer period

Defer Until January

  • Infrastructure upgrades
  • Network reconfiguration
  • Major application releases
  • Non-essential feature deployments

Outcome

Essential hygiene is completed without introducing unnecessary risk.

11. First Day Back: Bring-Up & Verification

Start January with a controlled, checklist-driven process.

Verify

  • Reactivate normal change controls and pipelines
  • Check all scheduled jobs, backups, and integrations
  • Confirm capacity thresholds: storage, queues, brokers
  • Review holiday-period alerts and incidents
  • Power up labelled equipment in the correct sequence
  • Run quick checks across:
    • Websites and apps
    • Identity and authentication
    • Printing
    • Network access

Outcome

You return to a known-good environment with documented validation.

Printable One-Page Checklist

Governance & Comms

  • untickedChange freeze approved and communicated
  • untickedExceptions documented
  • untickedOn-call roster published
  • untickedVendor standby confirmed

Data Protection

  • untickedBackup success verified
  • untickedDR restore test completed
  • untickedEvidence stored
  • untickedOff-site copies rotated

Access & Security

  • untickedMFA enforced
  • untickedVPN groups reviewed
  • untickedStale access removed
  • untickedSecrets rotated
  • untickedAlert routing tested

Operations

  • untickedServices to pause/continue are defined
  • untickedStaff and customer comms sent
  • untickedFloor walk with facilities completed
  • untickedNon-essential endpoints shut down

Return to Service

  • untickedRe-enable change flow
  • untickedValidate backups and jobs
  • untickedCheck critical systems
  • untickedReview holiday alerts
  • untickedRe-power equipment

Year-end goes smoothly when decisions are documented and easily accessible.

  • Lock the change freeze.
  • Harden remote access.
  • Prove your restore.
  • Publish the on-call plan.
  • Keep evidence in one place.

If you’d like guidance or want help refining your shutdown plan, request a call-back from a Daisy specialist

FAQs

What is an IT change freeze?

A time-bound pause on non-essential production change to reduce outage risk. Exceptions follow an approval path.

What should a DR checklist include

Roles, contacts, RTO/RPO values, communication plans, backup/restore steps, test cadence and runbook references.

How often should we test disaster recovery?

Quarterly testing plus a full annual review is a strong baseline for South African SMEs.

What is the difference between RTO and RPO?

RTO = time to recover.

RPO = acceptable data-loss window.

Define both per system.

How do we run a restore test?

Restore to a clean environment, validate app behaviour and data integrity, document timing, capture evidence, and update the runbook.

How do we prepare IT for the holiday shutdown?

Freeze change, harden identity, verify backups, run a restore test, publish on-call details, secure power and premises.

Who belongs on the incident response team?

IT lead, security, facilities, comms, vendor liaisons, and an executive sponsor, including after-hours contacts.

What is DRaaS?

Disaster recovery as a service: replicating workloads to a cloud provider for rapid failover and recovery.

 

Resources

IT service management and project governance guidance

Frameworks like ISO 22301 / SANS 22301 for business continuity management also expect documented, tested RTO/RPO targets as part of your BCMS