Back

Involve auditors in reviewing and testing the business continuity program.


CONTROL ID
13211
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity program., CC ID: 13210

This Control has the following implementation support Control(s):
  • Evaluate the effectiveness of auditors reviewing and testing the business continuity program., CC ID: 13212
  • Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities., CC ID: 13218


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Backup media and restoration procedures must be tested with dedicated test media by qualified employees at regular intervals. The tests are designed in such a way that the reliability of the backup media and the restoration time can be audited with sufficient certainty. The tests are carried out by … (Section 5.6 RB-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Are internal audits conducted periodically to check that the BCMS is effective and conforms to both ISO 22301:2014 and the organization's requirements? (Performance evaluation ¶ 3, ISO 22301: Self-assessment questionnaire)
  • Guidance for auditors indicating that any review of the business continuity plan or enterprise architecture should assess whether they appropriately address the Pandemic Response Plan. (4.14, Pandemic Response Planning Policy)
  • The organization shall conduct internal audits at planned intervals to provide information on whether the BCMS: (§ 9.2.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Audit participation in testing as an observer and as a reviewer of test plans and results; and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the board and senior management engage audit or other independent review functions to review and validate the design and operating effectiveness of the BCM program. (II.B, "Audit") (App A Objective 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the board and senior management have engaged audit (or an independent review) to validate the design effectiveness of the business continuity program and whether controls are operating effectively. (App A Objective 3:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Independent review of business continuity program and exercises and tests (internal and external). (App A Objective 10:7j, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)