Back

Establish, implement, and maintain a business continuity testing policy.


CONTROL ID
13235
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity program., CC ID: 13210

This Control has the following implementation support Control(s):
  • Include testing cycles and test scope in the business continuity testing policy., CC ID: 13236
  • Include documentation requirements in the business continuity testing policy., CC ID: 14377
  • Include reporting requirements in the business continuity testing policy., CC ID: 14397
  • Include test requirements for crisis management in the business continuity testing policy., CC ID: 13240
  • Include test requirements for support functions in the business continuity testing policy., CC ID: 13239
  • Include test requirements for business lines, as necessary, in the business continuity testing policy., CC ID: 13238
  • Include test requirements for the business continuity function in the business continuity testing policy., CC ID: 13237
  • Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy., CC ID: 13257
  • Include data recovery in the business continuity testing strategy., CC ID: 13262
  • Include testing critical applications in the business continuity testing strategy., CC ID: 13261
  • Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy., CC ID: 13265
  • Include reconciling transaction data in the business continuity testing strategy., CC ID: 13260
  • Include addressing telecommunications circuit diversity in the business continuity testing strategy., CC ID: 13252


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • For assurance on the functionality and effectiveness of its BCP plan, an institution should design and carry out regular, complete and meaningful BCP testing that is commensurate with the nature, scope and complexity of the outsourcing arrangement. For tests to be complete and meaningful, the instit… (5.7.3, Guidelines on Outsourcing)
  • be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans; and (3.7.4 89(b), Final Report EBA Guidelines on ICT and security risk management)
  • Without prejudice to such attestation, financial entities shall remain at all times fully responsible for the impact of the tests referred to in paragraph 4. (Art. 26.7. ¶ 2, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The board and senior management should provide for appropriate exercises and tests to verify that business continuity procedures support business continuity objectives. Exercises and tests should be used to validate one or more aspects of the entity's BCP. (VII Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Authorities and control over exercises and tests. (VII Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Exercise and test objectives for resilience, system monitoring, and the recovery of business processes and critical system components. (VII Action Summary ¶ 2 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the exercise and test policy is appropriate and includes the following: (App A Objective 10:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The financial institution's relationship with the RDC service provider and BCP assurance. (App A Tier 2 Objectives and Procedures N.13 Bullet 1 Sub-Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)