Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • 2.9 Testing

    Principle 
     
    The Member Organization should define, approve, implement, execute and monitor regular BCP and DRP tests to train their employees and third-parties and test the effectiveness of the BC and DR plans. 
     
    Objective 
     
    To ensure that the Member Organization's existing BCP and DRP do work as defined and employees and third- parties are trained to execute these plans. 
     

    • 2.9.1 BCP Testing

      Control considerations 
       
      1.The Member Organization should periodically conduct BCP simulation test exercises ("at least once a year")
       
      2.The tests should consider appropriate scenarios that are well planned with clearly defined objectives (e.g., per function, per service, per process, per location, per worst cases scenarios). The Member Organization should take into consideration to Include cyber security scenarios.
       
      3.Defined test scenarios should cover the activation and involvement for crisis management team.
       
      4.After the completion of the above individual tests, each Member organization should consider conducting an integrated BCM test for all critical services, business processes and functions.
       

    • 2.9.2 DRP Testing

      Control considerations 

      1. The Member Organization should periodically execute a DR test combined with BCP ("at least once a year").
      2. The Member Organization should conduct an evaluation of the executed DR test of IT DR infrastructure that supports the Member Organization's critical systems to ensure the readiness and capability of DR to resume critical business operations for a period of time in case of a major disaster.
      3. The DR test results should provide an evaluation and suggestions for improvements to manage disruptive events impacting the Member Organization's business continuity.
      4. It should cover the activation and involvement of the crisis management team.

    • 2.9.3 Executed Tests

      1.Detailed results of all exercises and tests should be documented for future reference. The exercises/tests results should include, but not be limited to the following considerations:
       
       a.Confirm meeting the objectives of the exercised plan
       
       b.Confirm capabilities and readiness of recovery resources
       
       c.Document lessons learnt and the required improvements
       
       d.In case of failure, Capture the root-cause of the failure and remediation actions should be tracked to successful conclusion
       
      2.Re-testing of the plan within the defined timelines in case of a failure, the timelines should not exceed the limit of three (3) months.
       
      3.The Internal Audit of the Member Organization, or a qualified external auditor, should observe the business continuity and disaster recovery testing activities as an independent participant in order to provide a reasonable assurance on the executed activities, test results and to observe if the executed tests are meeting the Member Organization's overall Business Continuity program objectives.
       
      4.All BCP and DRP tests results should be reported to the BCM committee, senior management and the board of directors.