T9.3.1 - TESTING, MAINTAINING AND RE-ASSESSING INFORMATION SYSTEMS CONTINUITY PLANS SYSTEMS CONTINUITY PLANS Implementation Guidance
The entity shall test, maintain and re-assess its information systems continuity plans.
Business continuity plan tests should ensure that all members of the recovery team and other relevant staff are aware of the plans and their responsibility for business continuity and information security and know their role when a plan is invoked.
The test schedule for business continuity plan(s) should indicate how and when each element of the plan should be tested. Each element of the plan(s) should be tested frequently.
A variety of techniques should be used in order to provide assurance that the plan(s) will operate in real life. These should include:
- A. Table-top testing of various scenarios (discussing the business recovery arrangements using example interruptions)
- B. Simulations (particularly for training people in their post-incident/crisis management roles)
- C. Technical recovery testing (ensuring information systems can be restored effectively)
- D. Testing recovery at an alternate site (running business processes in parallel with recovery operations away from the main site)
- E. Tests of supplier facilities and services (ensuring externally provided services and products will meet the contracted commitment)
- F. Complete rehearsals (testing that the entity, personnel, equipment, facilities, and processes can cope with interruptions)
These techniques can be used by any entity. They should be applied in a way that is relevant to the specific recovery plan. The results of tests should be recorded and actions taken to improve the plans, where necessary.
Responsibility should be assigned for regular reviews of each business continuity plan. The identification of changes in business arrangements not yet reflected in the business continuity plans should be followed by an appropriate update of the plan. This formal change control process should ensure that the updated plans are distributed and reinforced by regular reviews of the complete plan.
Examples of changes where updating of business continuity plans should be considered are acquisition of new equipment, upgrading of systems and changes in:
• Personnel
• Addresses or telephone numbers
• Business strategy
• Location, facilities, and resources
• Legislation
• Contractors, suppliers, and key customers
• Processes, or new or withdrawn ones
• Risk (operational and financial)