Back

Establish, implement, and maintain a continuity test plan.


CONTROL ID
04896
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity plan testing program., CC ID: 14829

This Control has the following implementation support Control(s):
  • Include success criteria for testing the plan in the continuity test plan., CC ID: 14877
  • Include recovery procedures in the continuity test plan., CC ID: 14876
  • Include test scripts in the continuity test plan., CC ID: 14875
  • Include test objectives and scope of testing in the continuity test plan., CC ID: 14874
  • Include escalation procedures in the continuity test plan, as necessary., CC ID: 14400
  • Include the succession plan in the continuity test plan, as necessary., CC ID: 14401
  • Include contact information in the continuity test plan., CC ID: 14399
  • Include testing all system components in the continuity test plan., CC ID: 13508
  • Include test scenarios in the continuity test plan., CC ID: 13506
  • Include test dates or test frequency in the continuity test plan, as necessary., CC ID: 13243


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs are expected to conduct testing of their BCP at least annually. Senior management should participate in the annual testing and be aware of what they are personally required to do in the event of their BCP being invoked. In addition, both recovery and alternate personnel should participate in pla… (6.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Formal testing documentation (including testing plan, testing scenarios, testing procedures and testing results) should be produced to ensure thoroughness and effectiveness of testing. Specifically, a post mortem review report should be prepared at the completion of the testing for formal sign-off b… (6.1.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • It is important that the success criteria for the testing of resilience and recovery are clearly defined, including the circumstances under which re-testing would be required. Test results and associated follow-up actions are typically formally tracked and reported. (Attachment B ¶ 10, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • are planned, formalised and documented, and the test results used to strengthen the effectiveness of the ICT availability and continuity solutions; (Title 3 3.3.4(a) 54.c(i), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • define success criteria for the transition of outsourced functions and data; and (4.15 108(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recove… (DS4.2 IT Continuity Plans, CobiT, Version 4.1)
  • The rehearsal plan should contain who is responsible for control and coordination; what the objectives are and the criteria for success; the rehearsal plan and schedule; a reversion plan to restore the system back to live service; a briefing for all participants; how the tests will be coordinated an… (§ 9.7.1, § 9.7.2, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • This section is a table that includes the types of exercises and gives a description of the test and provides test objectives. (§ 5.8.A, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The creation of exercises to test the plan in advance. (4.11, Pandemic Response Planning Policy)
  • are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates. (§ 8.5 ¶ 2 g), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Do the Business Continuity Plan failover test scenarios contain fail-over across critical vendors? (§ V.1.67.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • App A § 6.3: Management shall decide on the type and scope of testing to accomplish based on the risks and costs. App A § 6.4: The organization shall use the criticality of the system to decide what type of testing to use, how often to test, and how thoroughly to test. The decision shall be a mana… (App A § 6.3, App A § 6.4, App A § 6.5 ¶ 1, CMS Business Partners Systems Security Manual, Rev. 10)
  • Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. (§ 164.308(a)(7)(ii)(D), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Primary data centers and operations facilities that are completely inoperable without notice; (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 7 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Detailed schedules to complete each test; and (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Sequential, step-by-step procedures for staff and external parties, including instructions regarding transaction data and references to manual work-around processes, as needed; (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, inc… (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Types of exercises (e.g., full scale, limited scale, or tabletop) and tests. (VII Action Summary ¶ 2 Bullet 8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Exercises and tests related to interaction with third parties, industry-wide testing, and core and significant firms. (VII Action Summary ¶ 2 Bullet 9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Audit monitoring of exercises and tests, reviewing test plans and results, and verifying that any issues are identified and appropriately escalated. (App A Objective 3:5e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Board expectations for overall business continuity capabilities, including guidelines to achieve defined business continuity objectives. (VII Action Summary ¶ 2 Bullet 11, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Designing and implementing a business continuity exercise strategy. (App A Objective 2:5e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that management developed a process that is sufficiently robust to confirm the effectiveness of the entity's business continuity program. Therefore, the exercise program should incorporate the following: (App A Objective 10:7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that exercise and test scripts document the procedures for executing the exercise or test, which may include: (App A Objective 10:14, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management established exercise and test plans, commensurate with the nature, scale, and complexity of the recovery objectives that address the objectives and expectations of the exercise or test and outline the scenario and any assumptions or constraints that may exist. Verify whe… (App A Objective 10:12, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Specific descriptions of objectives and methods. (App A Objective 10:12d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Primary data centers and operations facilities that are completely inoperable without notice. (App A Objective 10:25a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Organizations are required to adequately mitigate the risk arising from use of information and information systems in the execution of mission/business processes. The challenge for organizations is in implementing the right set of security controls. Guided by the RMF and in accordance with FIPS 199 … (§ 3.4 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Organizations should conduct TT&E events periodically, following organizational or system changes, or the issuance of new TT&E guidance, or as otherwise needed. Execution of TT&E events assists organizations in determining the plan's effectiveness, and that all personnel know what their roles are in… (§ 3.5 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Testing scope; and (§ 3.6 ¶ 5 Bullet 11, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • To derive the most value from the test, the ISCP Coordinator should develop a test plan designed to examine the selected element(s) against explicit test objectives and success criteria. The use of test objectives and success criteria enable the effectiveness of each system element and the overall p… (§ 3.5.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))