Back

Test the continuity plan, as necessary.


CONTROL ID
00755
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity plan testing program., CC ID: 14829

This Control has the following implementation support Control(s):
  • Include coverage of all major components in the scope of testing the continuity plan., CC ID: 12767
  • Include third party recovery services in the scope of testing the continuity plan., CC ID: 12766
  • Validate the emergency communications procedures during continuity plan tests., CC ID: 12777
  • Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan., CC ID: 12769
  • Involve senior management, as necessary, when testing the continuity plan., CC ID: 13793
  • Test the continuity plan under conditions that simulate a disaster or disruption., CC ID: 00757
  • Test the continuity plan at the alternate facility., CC ID: 01174
  • Conduct full recovery and restoration of service testing for high impact systems at the alternate facility., CC ID: 01404


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Contingency plans should be maintained and regularly tested by AIs and their service providers to ensure business continuity, e.g. in the event of a breakdown in the systems of the service provider or telecommunication problems with the host country. (2.7.1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • AIs' IT function should establish a service level agreement with business lines covering availability of e-banking systems. Against this system availability benchmark, AIs should maintain and service the relevant IT facilities and equipment in accordance with industry practices and suppliers' recomm… (§ 9.5.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs' IT function should establish a service level agreement with business lines covering availability of e-banking systems. Against this system availability benchmark, AIs should maintain and service the relevant IT facilities and equipment in accordance with industry practices and suppliers' recomm… (§ 9.5.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs are expected to conduct testing of their BCP at least annually. Senior management should participate in the annual testing and be aware of what they are personally required to do in the event of their BCP being invoked. In addition, both recovery and alternate personnel should participate in pla… (6.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • AIs should not consider their BCP as complete if the plans have not been subject to proper periodic testing. Testing is needed to ensure that the BCP is operable. Testing entails verifying the awareness and preparedness of AIs’ personnel as well as determining how well the BCP really works. (6.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested; (5.2.3 (e), Guidelines on Outsourcing)
  • Proactively seek assurance on the state of BCP preparedness of the service provider, or participate in joint testing, where possible. It should ensure the service provider regularly tests its BCP plans and that the tests validate the feasibility of the RTO, RPO and resumption operating capacities. S… (5.7.2 (b), Guidelines on Outsourcing)
  • The disaster recovery plan should be reviewed, updated and tested regularly in accordance with changing technology conditions and operational requirements. (§ 5.1.9, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should test and validate at least annually the effectiveness of recovery requirements and the ability of staff to execute the necessary emergency and recovery procedures. (§ 8.3.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • As all systems are vulnerable, the FI should define its recovery and business resumption priorities. The FI should also test and practise its contingency procedures so that disruptions to its business arising from a serious incident may be minimised. (§ 8.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Pg 62, Pg 63 Calls for testing and maintaining the business continuity plan. There are a variety of testing approaches to consider. One such approach is called "Paper". This method ensures there is adequate capacity and availability of resources when the BCP is activated. Conducting this test requir… (Pg 62, Pg 63, Pg 78, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The organization should periodically verify that the recovery timeframes in agreements are achievable. (Attach B ¶ 8, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should test the resilience and recovery capabilities at least annually. (Attach B ¶ 9, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should implement a multi-year testing schedule to verify recovery operations at all locations, including offsite locations. (Attach B ¶ 9, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should clearly define the criteria for a successful test of the recovery plan, including when retesting is required. (Attach B ¶ 10, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • It is important that the success criteria for the testing of resilience and recovery are clearly defined, including the circumstances under which re-testing would be required. Test results and associated follow-up actions are typically formally tracked and reported. (Attachment B ¶ 10, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial institutions' testing of their BCPs should demonstrate that they are able to sustain the viability of their businesses until critical operations are re-established. In particular they should: (3.7.4 89, Final Report EBA Guidelines on ICT and security risk management)
  • develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and (4.15 107(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • The Business Continuity Plans should be adequately documented and tested. (¶ 16, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • Backup media and restoration procedures must be tested with dedicated test media by qualified employees at regular intervals. The tests are designed in such a way that the reliability of the backup media and the restoration time can be audited with sufficient certainty. The tests are carried out by … (Section 5.6 RB-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The business impact analysis as well as the business continuity plans and contingency plans are verified, updated and tested at regular intervals (at least once a year) or after essential organisational or environment-related changes. The tests also involve affected customers (tenants) and relevant … (Section 5.14 BCM-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The provisions governing the data backup procedures (excluding data archiving) shall be set out in writing in a data backup strategy. The requirements contained in the data backup strategy for the availability, readability and timeliness of the customer and business data as well as for the IT system… (II.7.51, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • business continuity plan; and (§ 10.1 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Once an outsourcing arrangement has been implemented, firms should test their business continuity and exit plans on a risk-based approach. Where possible and relevant, this testing should align to, support, or even be a component of firms' scenario testing under Operational Resilience – CRR Firms … (§ 10.19, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization must test the counter-terrorist contingency plan regularly. For high risk organizations, the plan must be tested at least annually. For moderate risk organizations, the plan must be tested at least once every 2 years. For low risk organizations, the plan must be tested at least ever… (Mandatory Requirement 68, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must test and review the Business Continuity Plan at least annually or after a significant organizational change. (Mandatory Requirement 70, HMG Security Policy Framework, Version 6.0 May 2011)
  • For moderate risk organizations, the counter-terrorist contingency plan must be tested at least once every 2 years. (Mandatory Requirement 68.b, HMG Security Policy Framework, Version 6.0 May 2011)
  • For low risk organizations, the counter-terrorist contingency plan must be tested at least every 3 – 5 years or tested as part of the business continuity and emergency evacuation tests. (Mandatory Requirement 68.c, HMG Security Policy Framework, Version 6.0 May 2011)
  • For a Business Continuity Management program to be effective, it must be tested, reviewed, and updated and be supported by trained staff. (Security Policy No. 7 ¶ 4 Bullet 4, HMG Security Policy Framework, Version 6.0 May 2011)
  • The entity periodically tests the effectiveness of its business continuity and resiliency plans, procedures and capabilities to make sure that they continue to protect the entity from the adverse effects of unplanned system outages or damages that render systems and information assets unavailable or… (S7.5 Implements business continuity plan testing, Privacy Management Framework, Updated March 1, 2020)
  • The continuity plan should be tested to ensure the organization can execute the plan in the event of a disruption. (¶ 44, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Procedures should be implemented to test the backups and the disaster recovery procedures on a regular basis. (¶ 19.6 Bullet 4, Good Practices For Computerized systems In Regulated GXP Environments)
  • Procedures should be defined and validated for system failures or breakdowns. (¶ 16, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan… (DS4.5 Testing of the IT Continuity Plan, CobiT, Version 4.1)
  • The business continuity plan should be regularly tested for each component. The testing program should lead to an objective assurance that the plan will work when it is required. The testing program should test the logistical, administrative, technical, procedural, other operational systems, busines… (§ 5.4.1, § 9.2, BS 25999-1, Business continuity management. Code of practice, 2006)
  • Testing should be accomplished at least annually. (§ 9.3 Table 1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The organization must exercise its business continuity management arrangements to ensure they meet its business requirements. The organization must develop exercises consistent with the scope of the business continuity management system; have a program that is approved by top management to ensure ex… (§ 4.4.2, BS 25999-2, Business continuity management. Specification, 2007)
  • Continuity and recovery plans should be tested, maintained, and audited. This will ensure the plans are constantly improved and updated; the staff is familiar with the plans' procedures; the plans are relevant and fit for purpose; the resource requirements are planned for and understood; and governa… (§ 5.2 ¶ 3(e), § 5.6 ¶ 2(f), § 9.3 ¶ 1, § 9.3 ¶ 2, § 9.7.3 ¶ 5, § 9.7.4, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The accepted best practice is to test the plan on a yearly basis, but the frequency will depend on the individual circumstances of the organization. (§ 9.5 ¶ 1, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The steps a technical test of the business continuity plan will be likely to contain include: • Agree to the scope and objectives of the test • Agree on the budget for the test if required • Assign personnel to conduct the test • Devise a simple scenario and set of assumptions that puts the … (Stage 5.1 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The steps a technical test of the business continuity plan will be likely to contain include: Agree to the scope and objectives of the test Agree on the budget for the test if required Assign personnel to conduct the test Devise a simple scenario and set of assumptions that puts the test in context … (Stage 5.1 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The business continuity plan or the entity-level business continuity management policy should include exercise/test requirements. Most standards used have 3 requirements: 1. Tests must be done at periodic intervals. 2. Tests should address various threats/scenarios. 3. A method must be available to … (§ 5.8 ¶ 2, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • Large-scale exercises of the business continuity plans and the business continuity management programs should be done annually at a minimum. Complex environments and environments that have a significant impact on the organization may require more frequent testing. Factors that may increase the need … (§ 5.8 ¶ 1, § 5.8.B, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization should include periodic testing of the incident and emergency management and response procedures when it develops its incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(n), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The emergency plan should be tested regularly. (Revised Volume 3 1-I-12, Protection of Assets Manual, ASIS International)
  • The Business Continuity program should apply across the organization and require each individual business environment to review and test Business Continuity plans and arrangements on a regular basis (e.g., as part of a Business Continuity exercise). (CF.20.02.05f, The Standard of Good Practice for Information Security)
  • Business Continuity plans and arrangements should be tested on a regular basis, and at least annually. (CF.20.07.01, The Standard of Good Practice for Information Security)
  • Each Business Continuity Plan should be tested on a regular basis. (CF.20.05.10d, The Standard of Good Practice for Information Security)
  • Tests of Business Continuity plans and arrangements should be based on the organization's recovery requirements. (CF.20.07.06, The Standard of Good Practice for Information Security)
  • The Business Continuity program should apply across the organization and require each individual business environment to review and test Business Continuity plans and arrangements on a regular basis (e.g., as part of a Business Continuity exercise). (CF.20.02.05f, The Standard of Good Practice for Information Security, 2013)
  • Business Continuity plans and arrangements should be tested on a regular basis, and at least annually. (CF.20.07.01, The Standard of Good Practice for Information Security, 2013)
  • Each Business Continuity Plan should be tested on a regular basis. (CF.20.05.10d, The Standard of Good Practice for Information Security, 2013)
  • Tests of Business Continuity plans and arrangements should be based on the organization's recovery requirements. (CF.20.07.06, The Standard of Good Practice for Information Security, 2013)
  • The disaster recovery procedures should be tested regularly. (Action 1.3.4, SANS Computer Security Incident Handling, Version 2.3.1)
  • Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supp… (BCR-02, Cloud Controls Matrix, v3.0)
  • Exercise and test business continuity and operational resilience plans at least annually or upon significant changes. (BCR-06, Cloud Controls Matrix, v4.0)
  • Service continuity plans and availability plans shall be tested. (§ 6.3.3 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Retest the service continuity plans and availability plans after major changes to the service environment. (§ 6.3.3 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives. (§ 8.5 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. (§ 8.5 ¶ 2 g), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • be measurable, (§ 6.2 ¶ 2 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements, (§ 8.5 ¶ 2 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • are consistent with the scope and objectives of the BCMS, (§ 8.5 ¶ 2 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness; (§ 9.1.2 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal aud… (§ 5.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The communication and warning procedures shall be regularly exercised. (§ 8.4.3 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; (§ 9.1.2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • taken together over time, validate its business continuity strategies and solutions; (§ 8.5 ¶ 2 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall conduct exercises and tests that: (§ 8.5 ¶ 2, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • undertake evaluations through reviews, analysis, exercises, tests, post-incident reports and performance evaluations; (§ 8.6 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • All ICT systems that are essential for disaster recovery should be tested by the service provider on a regular basis to ensure their continuing capability to support the disaster recovery plans. The tests should also occur whenever there are significant changes in the organizational requirements and… (§ 5.10, § 7.15.6.2, § 7.15.6.3, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Emergency drills should be periodically conducted to maintain staff alertness and reduce the chance of confusion if an unplanned event occurs. The planning, conducting, documenting, and reviewing of emergency drills should be governed by conducting them at least once a year and whenever significant … (§ 7.15.6.1, § 7.15.6.3(a), § 7.15.6.3(b), § 7.15.6.3(j), ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • All plans should be tested frequently to ensure that all personnel know their roles. (§ 14.1.5, ISO 27002 Code of practice for information security management, 2005)
  • At planned intervals, the service continuity plan(s) shall be tested against the service continuity requirements. The service continuity plan(s) shall be re-tested after major changes to the service environment. The results of the tests shall be recorded. Reviews shall be conducted after each test a… (§ 8.7.2 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. (§ 5.30 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The security program, in relation to protecting personal information, should include the testing of Disaster Recovery Plans and Business Continuity Management plans. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should test the Disaster Recovery Plans and contingency plans on an annual basis. (Table Ref 8.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the poten… (A1.3 Implements Business Continuity Plan Testing, Trust Services Criteria)
  • Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the poten… (A1.3 ¶ 2 Bullet 1 Implements Business Continuity Plan Testing, Trust Services Criteria, (includes March 2020 updates))
  • Recovery plan procedures supporting system recovery are tested to help meet the entity’s availability commitments and system requirements. (A1.3, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • (R 3510(b), NASD Manual)
  • Program plans, procedures, and capabilities must be evaluated by the organization by performing periodic tests and exercises. Exercises must be designed to test interrelated elements, individual essential elements, or the entire plan(s) and should include at least tabletops, simulations, and full op… (§ 5.14.1, § 5.14.3, Annex A.5.14.3, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Test each of the recovery plans referenced in Requirement R1 at least once every 15 calendar months: (CIP-009-6 Table R2 Part 2.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Does the Business Continuity and Disaster Recovery program include a maintenance schedule to Revise and test the plan? (§ K.1.2.5, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Are Business Continuity and Disaster Recovery tests conducted at least annually? (§ K.1.4, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Is there periodic testing of the pandemic plan? (§ K.2.10, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Individuals with specific responsibilities during an emergency should be properly trained in their duties. (Pg 21, Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002)
  • For systems with automatic controls, the emergency procedures should be tested regularly to ensure the controls work properly. (Pg 21, Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002)
  • § 3.4 ¶ 1: The organization shall include contingency plans in the management planning process and shall test the contingency plans on an annual basis. If the backup facility testing is performed by Medicare contract type, each individual Medicare contract type shall be tested annually. § 3.4 ¶ … (§ 3.4 ¶ 1, § 3.4 ¶ 3, App A § 6 ¶ 1, App A § 6.3.2 ¶ 3, CMS Business Partners Systems Security Manual, Rev. 10)
  • The contingency plan shall be tested annually under conditions that simulate a disaster or an emergency. (App A § 6 ¶ 1, CMS Business Partners Systems Security Manual, Rev. 10)
  • The business owner shall conduct security controls testing annually. The business owner shall conduct contingency plan testing annually. (§ 2.9, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • CSR 3.6.7(5): The secure information system recovery and reconstitution procedures must include fully testing the system. CSR 5.6.3: The organization must periodically test the emergency procedures. (CSR 3.6.7(5), CSR 5.6.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • CSR 5.7.1: The organization must test the contingency plan annually using tabletop exercises and operational tests. CSR 5.7.2: The organization must test the disaster recovery plan annually or when a major change is made. (CSR 5.7.1, CSR 5.7.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The business owner shall test the contingency plan every 365 days. (§ 2.9, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the S… (§242.1004 ¶ 1(b), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • The organization must test the Continuity of Operations plan or the Disaster Recovery Plan on an annual basis. (COED-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must test the Continuity of Operations plan, the Disaster Recovery Plan, or significant parts of the plan on a semi-annual basis. (COED-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Ensure the Continuity Of Operations or Disaster Recovery Plans are exercised annually. (COED-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The disaster recovery plan must include procedures for testing the plan. (§ 8-615, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Procedures shall be implemented to periodically test the contingency plans. The covered entity shall assess these procedures to determine if it is a reasonable and appropriate safeguard in the environment and, if it is reasonable and appropriate, then implement it, or document why it is not reasonab… (§ 164.308(a)(7)(ii)(D), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • (§ I.A.4.b(i), The National Strategy to Secure Cyberspace, February 2003)
  • A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financ… (Board and Senior Management Responsibilities, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution's mission critical operations. (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: - Incorporation of the BIA and risk assessment into the BCP and testing prog… (Principles of the Business Continuity Testing Program, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Local, regional, or national testing/exercises. (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The board and senior management should provide for appropriate exercises and tests to verify that business continuity procedures support business continuity objectives. Exercises and tests should be used to validate one or more aspects of the entity's BCP. (VII Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Testing business continuity plans. (App A Objective 2:3c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Available during adverse events. (App A Objective 2:1c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Identify any gaps between business continuity procedures and objectives. (App A Objective 10:11g, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Management responsibility to document, maintain, and test the plan and backup systems periodically according to risk. (App A Objective 12:9 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The testing program should be used to ensure the organization can continue to operate if a disaster occurs and should be organization-wide and implemented by the Board. The testing program should address roles and responsibilities, using an independent assessment, frequency and scope of the testing,… (Pg 4, Pg 17 thru Pg 25, Pg E-6, Pg H-3 thru Pg H-5, Exam Tier I Obj 2.4, Exam Tier I Obj 8.11, Exam Tier I Obj 10.1 (Testing Policy), Exam Tier I Obj 10.1 (Testing Strategy), Exam Tier I Obj 10.3 (Testing Strategy), Exam Tier I Obj 10.2 (Execution, Evaluation, and Re-Testing), Exam Tier I Obj 10.3 (Execution, Evaluation, and Re-Testing), Exam Tier I Obj 10.4 (Execution, Evaluation, and Re-Testing), Exam Tier II Obj 2.1 (Scenarios), Exam Tier II Obj 2.2 (Scenarios), Exam Tier II Obj 2.1 (Plans), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The continuity plan should be tested at least annually or, more frequently, if changes are made to the system. (Pg 4, Pg 20, Pg G-5, Exam Tier I Obj 10.3 (Testing Policy), Exam Tier I Obj 10.4 (Testing Strategy), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The continuity plan should be periodically tested. (Pg 36, Obj 5.5, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should test the continuity plan on a periodic basis. The results of the test should be reported to the Board of Directors. (Pg 30, FFIEC IT Examination Handbook - Management)
  • The back-up telecommunications system should be tested during the continuity plan testing. Personnel should be tested to ensure they are aware of their responsibilities. (Pg 29, Pg 35, FFIEC IT Examination Handbook - Operations, July 2004)
  • Determine if the institution periodically conducts drills to test emergency procedures. (Exam Tier II Obj F.5, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should ensure the service provider tests the continuity plan for all critical services on an annual or more frequent basis. (Pg 26, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Financial institutions and their TSPs should develop, implement, and test appropriate disaster recovery and business continuity plans capable of maintaining acceptable retail payment-related customer service levels. For financial institutions and service providers with complex retail payment operati… (Business Continuity Planning, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluate the adequacy and effectiveness of financial institution and service provider contingency and business continuity planning. Consider: (App A Tier 1 Objectives and Procedures Objective 3:3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluate the adequacy of the ACH contingency plan; determine whether the financial institution has tested it and whether it includes provisions for partial or complete failure of the system or communication lines between the institution, ACH operators, customers, and associated data centers. (App A Tier 2 Objectives and Procedures L.1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Based on the volume and importance of ACH activity, evaluate whether the plan is reasonable and whether it provides for a reasonable recovery period. (App A Tier 2 Objectives and Procedures L.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization and service providers should test their continuity plans on a regular basis. (Pg 34, Exam Tier I Obj 2.3, Exam Tier II Obj 5.1, Exam Tier II Obj 12.1, Exam Tier II Obj 12.6, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Determine whether the frequency and methods of testing contingency plans are adequate. (Exam Tier II Obj 12.6, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization should test the continuity plans. (Pg 33, Exam Tier I Obj 2.5, Exam Tier II Obj 10.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • (SC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The service provider must develop contingency test plans in accordance with national institute of standards and technology special publication 800-34 and provide the contingency test plans to the federal risk and authorization management program before initiating the testing. (Column F: CP-4a, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the contingency test plans. (Column F: CP-4a, FedRAMP Baseline Security Controls)
  • Tests the contingency plan for the information system [FedRAMP Assignment: at least annually] using [FedRAMP Assignment: functional exercises] to determine the effectiveness of the plan and the organizational readiness to execute the plan (CP-4a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Tests the contingency plan for the information system [FedRAMP Assignment: at least annually for moderate impact systems; at least every three years for low impact systems] using [FedRAMP Assignment: functional exercises for moderate impact systems; classroom exercises/table top written tests for lo… (CP-4a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Tests the contingency plan for the information system [FedRAMP Assignment: at least annually for moderate impact systems; at least every three years for low impact systems] using [FedRAMP Assignment: functional exercises for moderate impact systems; classroom exercises/table top written tests for lo… (CP-4a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • If Federal Tax Information is included in the organization contingency plan, the plan must be tested periodically to ensure procedures are in place to recover in the established timeframe. (§ 5.6.6, Exhibit 4 CP-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Is the Business Continuity Plan or Disaster Recovery Plan tested periodically? (IT - Business Continuity Q 5a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include testing the Business Continuity plans and the Disaster Recovery Plans? (IT - Policy Checklist Q 20, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.7.7 Bullet 1: Implement procedures to periodically test the contingency plan. § 4.7.7 Bullet 2: Test the contingency plan on a predefined cycle if reasonable and appropriate. § 4.7.7 Bullet 6: Establish the types and cost of testing based on sustained service loss and business impact. (§ 4.7.7 Bullet 1, § 4.7.7 Bullet 2, § 4.7.7 Bullet 6, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Testing of the contingency plan allows deficiencies to be identified and addressed by validating the system components and the operation of the plan. Testing should be accomplished in an environment as close to normal as possible. Each component should be tested to confirm that the individual recove… (§ 3.5.1, § 3.5.4, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • An annual tabletop exercise should be conducted on low-impact systems. An annual functional exercise should be conducted on moderate-impact systems. An annual full-scale functional exercise should be conducted on high-impact systems. (§ 3.5.4, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. (CP-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. (CP-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. (CP-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. (CP-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. (CP-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. (CP-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • (§ 3.6.5, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the contingency plan is tested, the results of the tests are documented, the test results are reviewed and any necessary corrective actions are taken, the tests cover the main aspects of the contingency plan, and specific responsibili… (CP-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Organizational records and documents should be examined to ensure the organization tests the contingency plan at least annually. (CP-4.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cyberse… (§ 6.2.6 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. (T0070, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The Continuity of Operations plan must be tested for effectiveness and the test results documented. (SG.CP-5 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must test the Continuity of Operations plan on an organization defined frequency. (SG.CP-5 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use the backup information on a selective basis in restoring system functions as part of the Continuity Of Operations testing. (SG.IR-10 Requirement Enhancements 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms to test the contingency plan. (App F § CP-4(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must periodically test and/or exercise the contingency plan for effectiveness and readiness to execute. (App F § CP-4.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. (T0070, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct functional and connectivity testing to ensure continuing operability. (T0029, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization tests the contingency plan for the information system {organizationally documented frequency} using {organizationally documented tests} to determine the effectiveness of the plan and the organizational readiness to execute the plan. (CP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization tests alternate telecommunication services {organizationally documented frequency}. (CP-8(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization tests the contingency plan for the information system {organizationally documented frequency} using {organizationally documented tests} to determine the effectiveness of the plan and the organizational readiness to execute the plan. (CP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization tests the contingency plan for the information system {organizationally documented frequency} using {organizationally documented tests} to determine the effectiveness of the plan and the organizational readiness to execute the plan. (CP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization tests the contingency plan for the information system {organizationally documented frequency} using {organizationally documented tests} to determine the effectiveness of the plan and the organizational readiness to execute the plan. (CP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; (CP-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan. (CP-4(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Test the contingency plan using [Assignment: organization-defined automated mechanisms]. (CP-4(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. (CP-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • § A.3.a.2.e: The security plan shall contain provisions for establishing and periodically testing the ability to continue to provide service based on the needs and priorities of the users. § A.3.b.2.d: The application security plan shall contain provisions for establishing and periodically testing… (§ A.3.a.2.e, § A.3.b.2.d, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Tests the contingency plan for the information system [TX-RAMP Assignment: at least annually for moderate impact systems; at least every three years for low impact systems] using [TX-RAMP Assignment: functional exercises for moderate impact systems; classroom exercises/table top written tests for lo… (CP-4a., TX-RAMP Security Controls Baseline Level 1)
  • Tests the contingency plan for the information system [TX-RAMP Assignment: at least annually for moderate impact systems; at least every three years for low impact systems] using [TX-RAMP Assignment: functional exercises for moderate impact systems; classroom exercises/table top written tests for lo… (CP-4a., TX-RAMP Security Controls Baseline Level 2)