Involve auditors in reviewing and testing the business continuity program.
CONTROL ID 13211
CONTROL TYPE Testing
CLASSIFICATION Detective
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a business continuity program., CC ID: 13210
This Control has the following implementation support Control(s):
Evaluate the effectiveness of auditors reviewing and testing the business continuity program., CC ID: 13212
Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities., CC ID: 13218
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Backup media and restoration procedures must be tested with dedicated test media by qualified employees at regular intervals. The tests are designed in such a way that the reliability of the backup media and the restoration time can be audited with sufficient certainty. The tests are carried out by … (Section 5.6 RB-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Are internal audits conducted periodically to check that the BCMS is effective and conforms to both ISO 22301:2014 and the organization's requirements? (Performance evaluation ¶ 3, ISO 22301: Self-assessment questionnaire)
Guidance for auditors indicating that any review of the business continuity plan or enterprise architecture should assess whether they appropriately address the Pandemic Response Plan. (4.14, Pandemic Response Planning Policy)
The organization shall conduct internal audits at planned intervals to provide information on whether the BCMS: (§ 9.2.1 ¶ 1, ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
Audit participation in testing as an observer and as a reviewer of test plans and results; and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Determine whether the board and senior management engage audit or other independent review functions to review and validate the design and operating effectiveness of the BCM program. (II.B, "Audit") (App A Objective 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Determine whether the board and senior management have engaged audit (or an independent review) to validate the design effectiveness of the business continuity program and whether controls are operating effectively. (App A Objective 3:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Independent review of business continuity program and exercises and tests (internal and external). (App A Objective 10:7j, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)