Continuity plans are tested through evaluations and exercises periodically and according to defined triggers, such as system changes and external events
Context and Guidance: Testing is often the only opportunity for an organisation to know whether the plans meet their stated objectives. Testing should be conducted in a controlled environment. The testing program and standards should be enforced to ensure consistency and the ability to interpret results at the organisational level. Standards for continuity testing can include: • types of tests (e.g., walkthroughs, tabletops, dependency testing, testing backups and spares) • required test components • quality assurance standards • involvement and commitment of plan stakeholders • reporting standards • measurement standards • test plan maintenance Testing of backup and storage and related procedures should be done to ensure they are meeting the requirements of the function. Periodic testing of the organisation’s backup and storage procedures helps ensure continued validity as operational conditions change. Additionally, organisations should consider coordination with appropriate stakeholders for the different kinds of IT, OT, and information assets that may be within the scope for exercises such as virtualised assets, regulated assets, cloud assets, and mobile assets.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RESPONSE-4i, RESPONSE-4n.