Back

Include test dates or test frequency in the continuity test plan, as necessary.


CONTROL ID
13243
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity test plan., CC ID: 04896

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Financial entities, other than microenterprises, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions. (Art. 24.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • are performed at planned intervals and when there are significant changes within the organization or the context in which it operates. (§ 8.5 ¶ 2 g), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Test event dates and time stamps; (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Provisions for exercises and tests occurring at appropriate intervals and when significant changes affect the entity's operating environment. (VII Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Minimum frequency, scope, and reporting. (App A Objective 10:8b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • A consolidated exercise and test schedule that encompasses all objectives. (App A Objective 10:12c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Exercise and testing schedules; (§ 3.1 ¶ 1 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Alternate site contract, including testing times; (§ 3.6 ¶ 5 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Backup media should be stored offsite in a secure, environmentally controlled location. When selecting the offsite location, hours of the location, ease of accessibility to backup media, physical storage limitations, and the contract terms should be taken into account. The ISCP Coordinator should re… (§ 5.1.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • To derive the most value from the test, the ISCP Coordinator should develop a test plan designed to examine the selected element(s) against explicit test objectives and success criteria. The use of test objectives and success criteria enable the effectiveness of each system element and the overall p… (§ 3.5.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))