most basic business continuity plan testing

Understanding the Succession Planning Process

The process by which you train and prepare employees to fill crucial roles within an organization is known as succession planning. This process ensures that the business continues its day-to-day operations as usual. This article will highlight the steps in the succession planning process.

No matter the type or size of your organization, succession planning is essential to continue to have your business run smoothly upon your departure. It’s important to identify your successor well in advance so that they may be properly trained for the role. This training may occur years in advance of the anticipated exit from the company. You may identify someone who needs to start at a lower position within the company and work their way up through the ranks to achieve a thorough training and knowledge base or you may have to cross-train them for several different roles.

Identify the Positions Needing Successors

Although succession planning usually refers to high-leadership roles in a company, it can apply to other roles as well. One of the first steps in this process is to recognize which roles within your company will need a successor if the current employee leaves. You’ll want to analyze which positions impact the revenue or growth of the company. This profit could be compromised if a successor is not put into place.

Informing Key Players

You’ll want to have a discussion with all the key players, those currently in a role identified as needing a successor and those who you would like to groom to take the role over. You should make sure that everyone is agreeable and on the same page. The current employee should be willing to train their successor so that a seamless transition can take place once the time comes. The person identified as the successor should be motivated to learn the role they will step into one day and a timeline should be established. Typically these identified successors feel an increase of pride and a greater investment in the company, according to The Balance website.

Internal vs. External Successors

Identifying an internal successor has multiple benefits. They know the company’s culture, have a sense of loyalty from currently working there and have been through the basic training program. In addition, they know colleagues internally and may also know some of the external clients as well. In cases where a suitable internal employee can’t be identified, an external one may have to be. This will entail more effort and time to be invested in finding and training a suitable candidate.

Succession Planning Benefit

Succession planning is a key necessity in running an efficient business. You want to have a plan for the future of the company, and identifying and training successors to step into key roles will ensure that your organization doesn’t miss a beat.

• Privacy Policy
• Terms of Service
• © 2023 Ask Media Group, LLC

What is BCP testing?

Published on November 15, 2022

Jump to a section

Everything you need to know about business continuity, straight to your inbox.

Business continuity planning is only half the battle. An effective business continuity strategy must be effective in multiple scenarios and for various uncontrollable events.

You have put together a team responsible for crisis management and implementing your disaster recovery scenarios. To ensure business continuity, your key personnel must also ensure that these strategies have been tested and reviewed for effectiveness.

BCP testing involves a series of exercises and simulation tests to mimic the effects of the crisis. An effective testing approach must involve various scenarios so your team can handle any situation with ease. Your testing should encompass readiness for different BC incidents , whether a small-scale issue like a power outage or a large-scale event like a cyber attack or a natural disaster.

Why is it essential to conduct BCP testing?

As a business owner, a positive mindset can go a long way. But it isn't particularly helpful if you're conducting a risk management and assessment strategy. You need to anticipate, plan for, and mitigate risks before they occur. If you don't, the entire organization could crumble and your business continuity would be at risk.

Testing the business continuity plan (BCP) is a must when you are developing your operational resilience strategies. If you are not conducting BC plan testing, you have no way to ensure that the strategy you have in place is the best at managing your perceived risks and threats.

BCP testing enables you to achieve the following:

• Identify any gaps in your existing business continuity plan, develop ways to address them and take corrective actions to increase the plan's maturity.
• Identify interdependencies in various departments of your disaster recovery plan. You can use the test findings to develop a coordinated plan among department heads in the event of a disaster.
• Speed up your company's response to a crisis and ensure compliance requirements are met.
• Avoid having a damaged reputation because you can show your customers resilience during times of crisis.
• Ensure that your business continuity plan is current and updated. Take actionable findings from your business continuity plan testing to identify where improvements are needed.

As a business owner, you have the responsibility to assess your continuity plan and whether regular testing is needed to avoid revenue loss resulting from an inadequate plan.

How often should you perform testing on business continuity plans?

Many businesses perform an annual plan review while others do it every six months. There are no hard and fast rules on the frequency of performing business continuity plan testing. It depends on the unique circumstances and needs of your company, as well as the type and nature of risks.

One thing is definite, though: the more complex the plan is, the more it requires testing and review.

For example, a large multinational organization will require a more complex business continuity plan than a startup consisting of only five employees. The type of products or services offered by the company will also determine the complexity of the business continuity strategy and the subsequent business continuity tests to be done.

An extensive supply chain has more moving parts and that requires the company to ensure all those parts are working efficiently. Any disruption to the critical component of the company can result in the business temporarily halting operation, or inefficiencies in its operation.

Regulation is another factor that impacts the frequency of testing your business continuity plan. The healthcare and finance industries are two of the most highly regulated industries. If your company is part of this industry, you need to regularly conduct business continuity testing to ensure that you satisfy all the requirements for operation even during disruptive events.

The use of technological tools that automate business continuity plan testing is a smart investment for companies of all sizes. The automated review ensures that you don't have to perform regular manual testing of your business continuity strategy.

Why do companies fail to test their BCP?

In a nutshell, companies tend to realise how important business continuity planning is when disruptions have already affected their business. There are many factors and reasons why companies don't invest much time and effort in planning and testing, including:

1. Assumptions

Where time, effort and money have already been spent in the creation of a plan, businesses assume that the plan is and will always be effective.

Exercising will highlight assumptions such as whether all staff listed in the plan are available and able to complete their duty as required, if access is prohibited in required areas and for longer than anticipated, and if all IT systems and applications will be restored within expected timeframes and access to data be as expected.

It is these knock-on effects that have to be addressed in exercising, by coming up with solutions and going on to further exercise these.

For example, carrying out regular checks of the company call tree allows a company to evaluate the response rate of staff members and verify telephone numbers communication is of ultimate importance during an incident, and as we know, contact details can change at any time.

The crisis management team should then be able to use the plan effectively during an incident, and the individuals listed in the plan will be better equipped to respond to their assigned duties.

2. Prioritization

Secondly, where resources are sparse and time and personnel are vital, testing as a priority can get pushed down the list. Lack of commitment, budgets, complacency and buy-in can lead to any scheduled testing getting shelved. These will put your business resilience at risk.

Experience shows that untested plans have a greater likelihood of failure, resulting in lost revenue, damage to reputation and impeded customer fulfilment.

As vital as testing is to the success of BCM, you must however not put the business at risk through the process of testing. As this activity can be time and resource heavy, it can be a complex process which is costly to an organisation of any size. Taking people out of their jobs at critical times, highlighted in your BIA, can be expensive and unnecessary. Good testing should have focus and planning to avoid this.

3. Compliance

Another way in which a lack of exercise and testing can negatively affect a business is the relationship these activities have with compliance. To fulfil the requirements outlined within the official ISO standard for Business Continuity, ISO 22301 , exercising and testing must be conducted at regular intervals by an organisation, which must then evaluate and record the findings of these events to continually improve and update its BCMS.

The standard is focused around the 'Plan-do-check-act' management model, and in this case, testing and exercise would fall into the check' step within the model, which is defined by ISO as to monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement '.

An organisation therefore must conduct these activities regularly should they wish to certify, or even align with these standards as they certainly will not be successful in doing so if not.

How to Perform BCP Testing

BCP testing should be able to provide you with confidence and validation that the BC and crisis management plans & strategies are feasible, and that all team members and staff are familiar with and understand their roles in the BC process.

Good testing should be focused and varied. There are various ways to test your business continuity plan. Make sure you use all of these methods so you can address various areas of your continuity plan and keep it updated.

The first tier of business continuity plan testing is the tabletop exercise. This testing method involves specific disaster situations and evaluating how your crisis response team deals with these scenarios. The goal of this test is to assess if any gaps weren't previously addressed.

To conduct the tabletop test, you must identify a realistic threat to the organization. Make sure that this threat is relevant to your industry or organization. Identify your continuity objectives for performing the tabletop test and create a schedule for how and when it will be conducted.

Use whatever information you obtain in the test, such as strengths and weaknesses, to create a successful continuity plan.

Plan Review

A plan review is like an audit of your business continuity plan details. It involves the business continuity team, department heads, and C-level management. They will take an in-depth look at the plan details to see if any areas need revision or if there are missing components.

The plan review is crucial for managers as they will be responsible for passing on this information to the rest of the employees. It's also a good opportunity to update the contact information of the BCP team as part of the emergency communication strategy.

It is also a type of test that is important if you have new employees. It should be included as part of their onboarding or training.

Walk-Through

A structured or walk-through exercise is another example of a test that you can use for the continuity plan. Unlike the tabletop test, this one is more active. It specifically deals with disaster recovery functions, such as restoring backup systems for data loss, verification of redundant systems, and addressing various mission-critical functions.

The walk-through test will involve the critical personnel who are part of your business continuity team. The critical personnel will be discussing plan details and designate roles on how to respond to a real-world disaster and the most disruptive events.

Full Simulation

The full simulation test is another method of testing your continuity plan details. This test must be performed to mimic the effects of a real disaster or disruptive event. You can also conduct a single-team simulation as part of testing a specific team's capacity to respond to specific disaster recovery scenarios.

A full-scale exercise is ideally done at full capacity; this means all of your employees and critical personnel are involved in the test. Make sure you undergo the previous exercises before you move on to the full-scale exercise.

Tips for keeping BCP current

Testing your business continuity plan ensures that it fits your organization's needs. It also minimizes the impact of multiple scenarios and disruptive events on the critical component of continuity.

However, test findings update your existing continuity plans to ensure that they are relevant even as the circumstances affecting your company might have changed. The industry and the conditions that it operates in are constantly changing. You have to develop a methodical and systematic review of your continuity plans to meet your specific needs and enable faster recovery.

The following tips will enable you to come up with actionable findings that ensure your continuity planning is relevant and accurate.

Regular testing is a must

Regular tests are important if you want your business continuity planning to succeed. Things are constantly changing in the business landscape. There are known threats to your company and there are also new threats that emerge. Some of the things that were not previously a threat to your business existence might be a significant factor that can lead to revenue loss or damaged reputation .

You need to conduct testing to be able to gather the critical information and plan for how you can prepare for these different scenarios.

Internal communication is key

Communicating the overall risk and benefits that can come from an effective exercise and testing programme should be key to aid buy-in, support and uptake.

Making sure departmental awareness training is up-to-date is vital and makes testing more worthwhile. If an incident does occur and those listed in the plan have been trained and had their roles communicated effectively, then there is a greater chance of executing the plan successfully.

Integrate your business continuity planning with your Business Impact Analysis (BIA)

The most effective and updated continuity plans are those that accurately measure the scale of a disastrous event's impact on your company and its revenue potential.

Test your vendor's continuity plan

This approach is critical if your business relies on an effective supply chain management system. You need to ensure your vendor's success as it is also critical to your business success. It's a good idea to conduct facilitated discussions with critical vendors as they are an integral part of your continuity.

The Bottom Line

A business continuity plan provides your organization with a blueprint for what steps to take in the event of a disaster. However, continuity planning is only as good as it fits the purpose. BCP testing is one of the ways that you can evaluate if the current plans and measures are aligned with your goals and needs.

Creating the business continuity plan is only the first step. You have more work to do in terms of testing and reviewing the results to ensure that it's doing its job in protecting your company from disruptive events, and enabling you to stay open.

An effective business continuity plan will help your business get through any operational downtime. Utilising a tool or software to assist in your BCP planning, including your testing and exercises can significantly improve your processes and simplify things for everyone involved.

Benefits of using web-based software to aid your Business continuity plan testing

At Continuity2, the Exercising module creates the exercise types according to your specific organisational needs, schedules the test, invites the relevant employees by email, defines the aims of the exercise, and communicates the details to the participants.

Once completed, the software reports on the observations of the exercise and records recommendations and actions raised as a result of the exercise. All reports are distributed and signed off via the software and held within the system for Audit purposes.

Exercises are created and calendared via a simple to use interface where all of the exercises for an entire organisation can be planned and communicated easily, i.e. 15 minutes to plan and document an exercise and 20 minutes to report on the exercise after completion. Post-exercise reports are automatically produced by the system. Actions to improve are automatically captured in the systems action tracking module and included as part of the corrective action or continuous improvement function if desired.

Book a demo today to see the software in action and learn how to maximise your BCP testing processes and results.

Written by Aimee Quinn

Resilience Manager at Continuity2

With an Honours degree in Risk Management from Glasgow Caledonian University and 6+ years in Business Risk and Resilience, Aimee looks after the design and implementation of Business Continuity Management Systems (BCMS) across all clients. From carrying out successful software deployments to achieving ISO 22301, Aimee helps make companies more resilient and their lives easier in the long run.

• Need help now? Talk to our Incident Response Team
• 605-923-8722
• [email protected]
• Request a Quote
• Cyber-RISK Login
• Join Our Mailing List
• Job Openings
• Network Security Audit
• Vulnerability Assessment
• Penetration Testing
• Social Engineering
• CyberSecurity Partnership / vCISO
• Incident Response Team
• Business Continuity Planning
• Incident Response Planning
• Security Awareness Training
• Full Service Vendor Management
• FTC Safeguards Rule
• Virtual IT Audit
• Remote Work Security Assessment
• Microsoft 365 Controls Assessment
• Cybersecurity Essentials Assessment
• Incident Readiness Assessment
• Certifications
• Hacker Hour
• Free Downloads
• Meet Our Speakers
• Speaker Request
• TRAC: Risk Management Software
• KnowBe4: Phishing Assessment Tool
• FFIEC Cybersecurity Assessment
• Verify: ACH Fraud Detection Software
• Cybersecurity Toolkits
• Join a Weekly Demo!
• Our Company
• Working at SBS
• Words From Our Employees
• Testimonials
• Endorsements

Four Steps to Better Business Continuity Plan Testing

Business continuity planning is a process that is vital to your organization. There is always the possibility that your organization’s critical business processes could be negatively affected for reasons that are often beyond your control, so it's best to be prepared. If a disruption occurs, it’s essential that your organization has a plan to address any potential issues and ensure that your organization can still serve your customers.

However, if you’ve never enacted your plan, it’s hard to be confident that your plan will be sufficient. Testing your business continuity plan (BCP) helps to continuously improve your ability to recover successfully from various scenarios, whether it be a natural disaster or a communications failure. The good news is that there’s not just one way to test your BCP. Here are four steps to help you build a better business continuity plan testing program and ensure you are prepared for any situation that may come your way.

______________________________________________________________________________________________

The first step to better BCP testing is to incorporate different testing methods. You can utilize various methods to test the usability and effectiveness of your business continuity plan. Some of the possible test methods provided by the FFIEC include:

• Tabletop Exercise: A tabletop exercise (sometimes referred to as a walk-through) is a discussion during which personnel review their BCP-defined roles and discuss their responses during an adverse event simulation. The goal of a tabletop exercise is to determine whether targeted plans and procedures are reasonable, personnel understand their responsibilities, and different departmental or business unit plans are compatible with each other.  
• Limited-Scale Exercise: A limited-scale exercise is a simulation involving applicable resources (personnel and systems) to recover targeted business processes. The goal of a limited-scale exercise is to determine whether targeted systems can be recovered and whether personnel understand their responsibilities as defined in the plan.  
• Full-Scale Exercise: A full-scale exercise simulates full use of available resources (personnel and systems) prompting a full recovery of business processes. The goal of a full-scale exercise is to determine whether all critical systems can be recovered at the alternate processing site and whether personnel can implement the procedures defined in the BCP. For example, a full-recovery exercise might simulate the complete loss of primary facilities.

Step two is to understand how often to test. Although there is no hard-and-fast standard for determining how often to test your business continuity plan, some general guidelines are typically recommended. Note that each of these timeframes will depend on your organization’s industry, size, personnel, available resources, and current BCP maturity levels. Don’t take these timelines as gospel, as they are strictly that: guidelines.

SBS recommends reviewing each of your emergency preparedness plans (business continuity, disaster recovery, incident response, and pandemic preparedness) throughout the course of a given year. Testing would typically include an annual tabletop test of all four individual EPP plans, testing multiple scenarios for threats you identify as a higher risk to your organization. Be sure to test the scenarios you believe to be the highest risk to your organization most frequently. You can use your business continuity risk assessment to help identify which threats are particularly impactful/probable to the organization.

Additionally, a limited-scale exercise is recommended at least annually, but such a test is largely dependent on the size and complexity of your organization and the maturity of your failover procedures. For example, if your organization’s goal is to have a fully-functional failover DR backup site, but you have not yet achieved full-failover mirroring and backups, implementing this complex backup process and testing to ensure everything works correctly from failover to failback may take years to achieve. In comparison, testing file-level restores from nightly backups is something any organization can do quickly and frequently today.

However, if your organization has any significant changes in processes, systems, or plan details, you may want to perform these tests more frequently. To reiterate, these timelines are highly dependent on your organization; it may not be feasible or logical to perform some of these tests at a particular frequency. Base this decision on your organization and its specific needs.

If you are looking for somewhere to start and what should be prioritized for testing, refer to your business impact analysis . This is an excellent way to not only identify your most critical processes, but also the assets/systems you rely on the most. Systems that you require to keep your most critical processes functioning should be tested more frequently, allowing you to validate proper recoverability and the timeframes of that recovery. Most organizations benefit greatly by having a testing schedule documenting their plans. This allows for a strategic approach to testing involving the organization's processes, systems, and vendors deemed necessary.

Including your vendors is the next step in improving your BCP testing. In the course of your testing cycle (whether a tabletop test, limited-scale exercise, or full-scale exercise), you’ll want to ensure your critical vendor partners are included in the testing process to whatever extent possible. Involving your vendors in this process not only allows you to test to a greater degree of accuracy and usability but also allows your vendors a chance to provide feedback that may be valuable to your plans or testing process.

Finally, step four is to document your testing. Be sure to document the results of any testing performed, along with any actionable findings from those tests. Following up on these items and incorporating recommendations resulting from tests is the most important process in the BCP testing lifecycle. Testing, documenting the results of your testing, and implementing processes to improve your BCP is the best way to strengthen your organization’s response processes.

Testing, documenting the results of your testing, and implementing processes to improve your BCP is the best way to strengthen your organization’s response processes.

Resources and Testing Options

Numerous additional resources that your organization may use or participate in to continue maturing your BCP testing program are widely available. Here is a list of organizations and resources to help you perform such testing on your own organization’s BCP:

• FS-ISAC (Financial Services Information Sharing and Analysis Center) Exercises - https://www.fsisac.com/Exercises : A range of exercises, performed throughout the year, in which your organization can register and participate, including simulated cyber-attacks on payment and insurance systems, cyber-range, and regional exercises.
• US-CERT (United States Computer Emergency Readiness Team) - https://www.us-cert.gov/ccubedvp/business : A suite of resources focused on cybersecurity resilience and BCP testing resources.
• FDIC Cyber Challenge - https://sbscyber.com/resources/fdic-resource-a-community-bank-cyber-exercise : A set of vignettes created to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions.
• Department of Homeland Security/FEMA Business Continuity Planning Suite - https://www.ready.gov/business-continuity-planning-suite : Video training series focusing on BCP basics, why a BCP is important, and best practices on generating and updating a BCP.
• FEMA (Federal Emergency Management Agency) Independent Study Courses - https://training.fema.gov/is/crslist.aspx : Free courses provided by FEMA covering a wide range of topics, including DR response (fires/flooding/earthquake/tornado), pandemic response, effective communication, damage assessment, and more. FEMA also maintains Emergency Planning Exercises and free downloadable tabletop exercises here, https://www.fema.gov/emergency-planning-exercises .

Other Sources

• https://ongoingoperations.com/business-continuity-test/
• https://dynamicquest.com/3-ways-test-business-continuity-plan/
• https://www.ready.gov/business-continuity-planning-suite
• BCM (ffiec.gov)

Updated by: Cole Ponto Senior Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

• A key piece to any Information Security Program is a high-quality business continuity plan (BCP). Let SBS help design and test a comprehensive plan that encompasses four areas: business impact analysis, business continuity, disaster recovery, and pandemic preparedness. A well-structured plan can help mitigate the negative effects of a natural disaster, unexpected power outage, widespread illness, and many other unexpected events. Learn more.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click  here  to view a full list of certifications.

Upcoming Webinars

Webinar: FDIC InTREx Changes and Their Impact on Your Next IT Exam

Hacker Hour: What's Hot in Social Engineering

Cyber Showcase: The "Other" Risk Assessments

Cyber Showcase: Taking the Terror Out of Incident Response

Recent Posts

The New R-SAT: Changes in Latitudes, Changes in Attitudes

Grab and Go Resources for National Cybersecurity Awareness Month

Press Release: SBS CyberSecurity Welcomes Director of Product Management and Chief Revenue Officer

Top 5 Most Common Incident Response Scenarios

• CB Security Manager
• CB Security Technology Professional
• CB Vendor Manager
• CB Cybersecurity Manager
• CB Ethical Hacker
• CB Incident Handler
• CB Security Executive
• CB Business Continuity Professional
• CB Vulnerability Assessor  
• Certified TRAC Professional

(605) 269-0909

[email protected]

Testing, testing: how to test your business continuity plan

Related Articles

Disruptions are by their nature unexpected. but your organisation’s response to hitting pause on normal business operations doesn’t have to be equally as unexpected..

A comprehensive business continuity plan maps out every stage of your business’ response to relevant risks that could affect business-as-usual. This could be a powercut, a cyber-attack or a supply failure. Whatever the disruption, the right continuity plan can ensure that your business minimises downtime and recovers as quickly as possible, reducing the risk of lost revenue or reputation.

However, even the most detailed plan can become ineffective if it is not regularly tested. Businesses rarely stand still, and this means your plan may have to adapt to new circumstances. Lack of knowledge, communication and practice can also compromise your business’ response, which could extend your recovery.

So, how should you test your business continuity plan, and how often should it be put in practice?

How often should a business continuity plan be tested?

There is no hard and fast rule that governs how often your business should test its plan.

It really depends on the complexity of your business and the number, scale and likelihood of the risks it faces. These should be identified as part of a Business Impact Assessment (BIA), which will inform your business’ response.

If your business has high risks for revenue loss, a damaged reputation or the possibility of lengthy downtime, then testing should be carried out more regularly and more areas of the plan should be tested.

The regularity of the testing is also dependent on the type of test being performed.

How can a business continuity plan be tested?

There are three main ways of testing your business continuity plan: checklist or walkthrough exercises, desktop scenarios or simulations.

Checklist or walkthrough exercises

A checklist or walkthrough exercise is one of the easiest forms of test. It consists of a desktop exercise in which senior managers determine if the plan remains current by checking off or ‘walking through’ each step.

When going through the plan they should also ask key questions, such as does the business have the right supplies to cope? Are copies of the plan known by key personnel? Do key personnel know what their roles are?

To make this test as valuable as possible, an emphasis must be placed on any weak areas. The mission is not to find fault or assign blame, but to promote improvement, which will make your plan more effective if the worst should happen.

Desktop scenarios

A desktop scenario test is a little more specific than the checklist. Using a scenario relevant to the business, this test can help you to establish all the processes of your business’ response to a specific disruption. For example, you can check the processes of your plan in the event of sudden data loss.

Simulations

Simulations are full re-enactments of business continuity procedures and could involve most, if not all, of your workforce. They also tend to take place on site in the relevant business areas.

In this test, each employee involved will need to physically demonstrate the steps needed in order to react to the disruption and recover from it. This could involve driving to a back-up location, making phone calls, completing communication templates or visiting server rooms. These kinds of tests are good for establishing staff safety, asset management, leadership response, relocation protocols and any loss recovery procedures.

Due to the large scale of a full simulation, these kinds of tests may be limited to annual occurrences. They may also need to be moved to quieter business days or even non-operational days so that disruption to normal work is minimised.

Organising a test

Before beginning a test, you will need to set out a clear objective as well as define exactly what is being tested. For example, you may want to check your continuity plans in the event of a power outage.

For a desktop exercise, you need to ensure that key personnel or top management are available to participate. A venue also needs to be arranged, but this doesn’t necessarily have to be in a key location unless you are planning a simulation.

Before the test, circulate the testing plan along with the objective to everyone involved. This team should also familiarise themselves with the current business continuity plan.

Assign some people within the team to record the test’s performance and any shortcomings that are identified. After the test, feedback should also be sought. These findings then need to be formally recorded and used to update the business continuity plan. Once finalised, the revised plan should be shared among the workforce.

Remember that testing a business continuity plan is not about passing or failing – it is about improving processes to give your business the best possible chance of dealing with disruption. Regular testing asserts the effectiveness of your processes, trains your staff in what to do for faster, more confident responses and highlights areas that need strengthening.

Solution for disruption

Business continuity plans give your business a blueprint for disruption survival, but only if they are fit for purpose.

An internationally recognised mark of best practice, ISO 22301 will enable you to implement, maintain and improve a business continuity management system, which will support your business before, during and after disruption.

To find out more, visit our dedicated webpage for  ISO 22301 .

You can also get in touch on  0333 259 0445  or by emailing  [email protected] .

Sign up to get the latest in your inbox

• Email address

About the author

Claire Price

Content Marketing Executive

Claire worked for Citation ISO Certification between 2020 and 2022 writing creative and informative content on ISO certification and consultation to help businesses reach their potential.

Looking for some guidance? Join us for one of our upcoming seminars!

QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only

Please Wait...

Testing The Business Continuity Plan

Published on : 06 Aug 2020

Business Continuity Plan is a process of recovery and prevention systems for organizations to deal with an incident that could severely hamper business operations.  There is always a possibility that an organization’s critical business process comes to a standstill due to the impact of an unforeseen event that is beyond one’s control.  To deal with such incidents, it is best to be prepared for the worst. Organizations should have a recovery plan in place to ensure minimum impact or disruption of business operations and client servicing. However, simply creating a Business Continuity Plan will not protect one’s business. Organizations should have in place a solid BCP strategy that is not just well laid out but is also effective in implementation. So, once an organization develops a Business Continuity Plan it is crucial to test its effectiveness. Testing the Plan verifies the effectiveness of the strategy in place and trains responsible personnel for the real scenario. Moreover, the test helps identify areas of concern where the plan needs to be strengthened.

Objective of Testing a Business Continuity Plan

Testing of BCP strategy is not just about passing or failing, but ensuring there is constant improvement in the strategy implemented. Here are some reasons why running a strategic test is essential for an organization-

• Identifying gaps/weaknesses in your Business Continuity Plan.
• Validating and improving the BCP Strategy. 
• Keeping all your BCP Strategy updated. 
• Confirming that your continuity objectives are met
• Evaluating the company’s response to various incidents. 
• Improving systems and processes based on test findings
• Demonstrating to your clients a higher degree of commitment.  
• Satisfying compliance and regulator’s requirements. 
• Helping reduce recovery time and cost.

Without testing the plan, one may put their business and stakeholders at great risk. 

How often should the company test its BCP?

While there is no hard-and-fast rule for determining how often an organization should test their Business Continuity Plan , there are certain guidelines that must be followed to ensure its effectiveness. Reviewing established Business Continuity Plans like Disaster Recovery, Incident Recovery, and Risk Management programs depends on threat scenarios that your organization identifies as high-risk and anticipate its frequent occurrence. While the number of tests to be conducted depends on the industry background, size and complexity, available resources, and BCP maturity levels, it is recommended that the tests are conducted twice a year for critical processes but at least minimum once a year. In some cases, it may not be feasible or logical to perform some of the tests frequently, so we suggest organizations to base their decision on their needs. Moreover, if your organization undergoes major changes in its processes, systems, or plan details, you may have to consider testing the performance more frequently.

Testing your Business Continuity Plan 

Once the organization develops an initial version of the BCP, the entire team responsible should review the plan. All the members should examine the plan in detail and, attempt to identify inconsistencies or issues that may have been overlooked during the process of development. The reviewing process should involve higher-level management and department heads to analyze and discuss potential improvements, and ensure contact information and recovery contracts are in place. The team should at least conduct a review on a quarterly basis to ensure it is effective. The focus of the review should be on identifying weak areas and accordingly implement measures to strengthen it. 

Incorporating different testing methods

1.tabletop exercise/ test.

Tabletop Test is a scenario-based role-play exercise conducted with an intention to discuss concrete plans for managing a simulated emergency situation systematically. The basic objective of conducting this test is to ensure all personnel responsible for actionable measures are aware of the relevant process and procedures pertaining to the BCP. The test typically involves discussion of one or more disaster scenarios, during which the potential response and procedures will be reviewed, and ensure responsibilities outlined are appropriately handled by concerned authorities. This will help organizations identify shortcomings in their set process and will ensure improvement.  

2.Walk-Through Drill/Simulation Test:  

Walkthrough Drill/Simulation Test is a rather practical version of the tabletop exercise. The test goes beyond talking about the process and actually gets the team out to conduct the recovery process. So, while a Tabletop Test involves sitting around the table discussing plan details, the Walk-Through/Simulation Test involves the team responding to a pretend disaster as stated and act as directed by the BCP. This would include restoring backups, live testing of redundant systems, and implementing other relevant processes. The test will involve validation of response, processes, systems, and resource mobilization. 

3.Full Recovery Test: 

A Full Recovery Test involves a complete process of practically running up the backup systems and processing transactions or data, considering the simulation as a real-life disaster. It is a functional test that checks how quickly a system can recover after a crash or failure. The test conducted is to ensure that that live and backup systems can run in conjunction assuring hassle-free transitioning of operations to your backup systems in case of a sudden system failure or crash. Organizations should review the effectiveness of their system recovery every time they release or upgrade their systems. Ideally, organizations should conduct BCP drills at least once/twice a year, including recovery testing, to make sure everyone involved is aware of their roles and responsibilities, and ensure smooth functioning of critical business operations when there is a failure or disaster.

Involve Vendors

During the course of the BCP, testing organizations should ensure their critical vendor partners are included in the process as much as possible. This will not only facilitate accuracy in testing but also lets your organization get valuable feedback from vendors about the current organization’s Business Continuity Plan and testing process. It will also facilitate possible suggestions for improvement from the Vendor. 

Post Test Report

Finally, the organization should document the results of the tests conducted with actionable findings of those tests. This is the most important part of the BCP testing process. The document should also have recommendations detailing key actions/ measures to be taken for improvement and building resilience. It should also contain considerations for the next annual/six-monthly reviews of your Business Continuity Planning. 

Post-Test Actionable Measures

• The team involved in the BCP should diligently review the test findings. 
• Take necessary measures and assign responsibilities for open action items. 
• Update and distribute the written plan to concerned members. 
• Identify and list out items for consideration in the next annual/six monthly tests.

How can VISTA InfoSec help Organizations with BCP?

Organizations are constantly under the risk or threat of damage or disruption caused by an unforeseen event. Implementing actionable measures to prevent the impact of an unexpected incident is extremely challenging. So, to help organizations build an effective Business Continuity Plan and ensure it works, we at VISTA InfoSec offer Advisory services based on our years of industry experience and knowledge on various standards for Business Continuity Planning such as ISO 22301. VISTA InfoSec has been a part of the Information Security industry for the past 16 years. Knowing the in’s and out of the industry makes our team highly proficient and capable professionals to assist clients with their Business Continuity Plans. Our highly integrated solutions and advisory services help businesses develop a solid BCP that assure to stand to the test of times and help clients quickly recover from the incident. Our testing and training programs help create awareness and enable organizations to efficiently deal with the incident. Availing our BCP services includes- 

Prior to an Incident – Our team shall help organizations manage and develop emergency action plans, and provide training with supportive expert content for guidance. 

During an incident – In case of an incident occurring, our team shall help the organization recover faster by providing the necessary assistance in terms of implementing their Disaster recovery plan and incident management plan along with testing, office space, and suggesting immediate remediation.  

Post an Incident Occurrence – Our team will ensure quick recovery of your business in terms of making it fully operational and preparing them to withstand the impact. We offer complete support and guidance throughout the process and ensure minimum impact and least exposure to more vulnerabilities. 

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

Recent Post

• USA: +1-415-513-5261
• Singapore: +65-3129-0397
• Mumbai: +91 99872 44769 / +91 73045 57744
• UK: +442081333131

Enquiry Form

• [email protected]

Enquire Now

Free One Session of Consultation

Essential cookies

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensure basic functionalities and security features of the website. These cookies do not store any personal information.

All Cookies

Non-essential cookies.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, and other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

Message Sent!

Thank you for sharing your contact details. our team will get back to you shortly.

• Who Are We?
• Partnership Program
• Our Clients
• Client Testimonials
• Gallery & Events
• SOC1 Advisory and Attestation
• SOC2 Audit and Attestation
• PCI DSS 4.0 Audit & Compliance
• PCI PIN Security and Certification
• PCI SSF Advisory & Certification
• ISO27001 Advisory and Certification
• ISO 20000 Advisory and Certification
• Business Continuity (ISO 22301)
• Cloud Risk – CCM / CStar / ISO27017
• Vendor Third-Party Risk Management
• Vulnerability Assessment
• Penetration Testing
• Red Team Assessment Services
• Web App Security Assessment
• Mobile Security Risk Assessment
• Thick Client Security Assessment
• Virtualization Risk Assessment
• Secure Configuration Assessment
• Source Code Review
• ATM Security Assessment
• GDPR Compliance Consulting and Audit
• HIPAA Compliance Consulting and Audit
• CCPA Consulting and Audit
• NESA Consulting and Audit
• MAS-TRM Consulting and Audit
• NCA ECC Compliance
• SAMA Compliance
• SOX Compliance & Audit
• FDA CFR Part11
• CMMC Compliance
• Adaptive Security Management
• DPO Consulting Services
• PCI SAQ Services
• CISO Advisory Services
• Managed Compliance Services
• Managed Security Services
• Infrastructure Audit
• Infrastructure Design & Advisory
• Datacenter Design & Consulting
• Training & Skill Development
• Academia Compliance
• Data Privacy Laws & Standard
• Banking, Financial Service & Insurance
• Cloud-based Service Providers
• Data Analytics
• Payment Card and Processing
• Pharmaceutical
• Retail & Manufacturing
• Expert Videos
• Externally Published Articles
• Write For VISTA InfoSec
• Book A Call (Free Consultation)
• Struggling to Achieve Cyber Security & Compliance Goals? Get Expert Guidance Free Consultation ×

Business continuity plan maintenance: How to review, test and update your BCP

We've written before about how all organizations need to have a robust business continuity plan . A comprehensive BCP gives your business assurance that it can continue operations, even in the event of an unexpected incident or full-blown crisis.

Putting in place a plan is the first stage in this process, but far from the only on Business continuity plan review checklist. Business continuity plan maintenance, review and testing form equally vital steps in your business continuity strategy.

Is Business Continuity Plan Maintenance Important?

Those who were best-prepared have shown themselves to be most resilient when it comes to facing the challenges of Covid-19 . The pandemic has provided an all-too-live example of the need for a plan B. If ever there was a time to be confident in your business continuity strategy, it's now. However, it's a mistake to think that creating a BCP is a one-time exercise; that once you've put your plan in place, you can sit back and breathe a sigh of relief. There's no room for complacency in business continuity ' the threats you face are ever-changing, and the potential remedial actions need to evolve in tandem. Your business continuity plan might follow best practice guidelines. You might be certified to ISO23301 standards and have put in place the ideal team to manage your disaster planning and BCP strategy. But none of this compensates for a BCP that has grown stale, failing to move with the times when it comes to identifying the latest threats and using the newest approaches to tackle them. That's why reviewing, testing and updating your BCP is as vital as the process of creating a plan in the first place.

Questions You Should Ask When Scheduling BCP Reviews and Drills

Your BCP   plan needs to be a   living document . Creating a BCP isn't a one-off; once you have put your plan in place, you should ask yourself the following questions:

• How often should a business continuity plan be reviewed?
• How often should a business continuity plan be tested?
• How often should a business continuity plan be updated?

Here we look at each of these questions and identify the best strategies for testing, updating and reviewing your plan.

The Importance of the Business Continuity Plan Review

Why is it important for the business continuity plan reports to be submitted and reviewed regularly? There are several reasons:

• The nature and severity of the threats you face may change
• Your business operations may have evolved, leading to, for instance, a larger number of entities or subsidiaries to consider in your planning or new operating geographies . You may have taken your company public , which brings with it a range of new regulatory obligations
• Your personnel may have changed, so the people responsible for continuity planning may re no longer be current

Your business continuity plan should be reviewed when any of these situations apply. How often you should review your plan is another question organizations often ask; cio.com recommends that you '''Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.''' Feedback from employees is essential in the review. Intentionally seek input from those involved in creating the plan and those involved in its execution. What can they tell you about changes to staff, operations or other factors that impact the plan? This is particularly important if you have numerous locations or remote operations where changes might not be immediately apparent to people sitting in a headquarters building. Ensuring your plan is based on comprehensive, accurate information about all your entities and subsidiaries ' a '''single source of truth' for your entire organization ' is vital. Putting in place a checklist is often a good strategy for any business review, and your BCP is no exception. Consider creating a business continuity plan review checklist to ensure you capture all the elements you need to consider. And of course, if you've been unfortunate enough to face a business continuity issue that forced the enactment of your plan, you can use the real-life experience you gained to finesse it. What worked well; what should be changed?

Business Continuity Plan Testing Considerations and Best Practices

Testing is an equally essential stage in ongoing BCP management. What should testing your business continuity plan look like? And during what stage of the business continuity lifecycle do we need to test the business continuity plan? Of course, the real test is an incident itself. But doing business continuity drills will give you the reassurance that your plan is robust enough to face a real incident ' and enables you to determine this in a less pressured way than waiting for a real crisis. 

Business Continuity Plan Testing Types

When it comes to types of business continuity plan testing, there are three main routes: a table-top exercise, a structured walk-through or full disaster simulation testing.

First: Table-top or role-playing exercises allow everyone involved in the plan to go through it and identify any missing steps, inconsistencies or errors. Second: A walk-through is a more in-depth test of your approach, with everyone involved examining their own responsibilities to spot any weak points. Third: A full simulation of a possible disaster goes a step further, creating a scenario that mirrors an actual disaster to determine whether your plan enables you to maintain operations. It should include your internal team, alongside any vendors or relevant external partners like security or maintenance companies. However you test your plan, it should be rigorous - CIO suggests that '''you try to break it' to ensure that it's fit for purpose. And whatever route ' or combination of approaches ' you choose, you should carry out business continuity plan testing at least once a year.

How To Keep Your Business Continuity Plan Current

Of course, however comprehensive your reviews and testing, they're of no benefit if you don't act on the findings. Updating your BCP is the final stage in the business continuity plan maintenance lifecycle, taking on board the results of your walk-through or simulation and finessing your plan to adopt any improvements noted during your reviews and tests. How often should a business continuity plan be updated? Every time you identify any shortcomings ' whether this is due to your testing/reviewing regime or whenever any errors or omissions come to light. What elements should you consider in an update? While all aspects of your plan are worth checking to ensure they remain current, some areas deserve singling out for special attention:

• Your contact list: To ensure you have up-to-date details of everyone you need to contact in the event of an incident.
• Your business entities and subsidiaries data : This forms the basis for your plan. Do you have an up-to-date picture of your organizational structure? Do you have accurate information on all your legal entities and critical functions?
• Challenge assumptions: Play devil's advocate to challenge your beliefs about incidents that could occur.
• Your technologies and systems: Including entity data management software , CRM systems and other IT systems central to supporting your operations.

Maintain Confidence in Your BCP

It's clear, then, that putting in place a BCP is only the first step. Reviewing, testing and updating your plan are all equally important stages. In other words, business continuity plan maintenance is crucial. Underpinning all of this is the need for reliable data on your organizational structure, people, systems and dependencies. Diligent's software suite can help you create the single source of truth you need to manage all your business entities effectively. Find out more by getting in touch with us for a no-obligation demo.

Solutions Solutions

• Board Management
• Enterprise Risk Management
• Audit Management
• Market Intelligence

Resources Resources

• Research & Reports

Company Company

Your data matters.

Table of contents

How to test your business continuity plan.

There are several business continuity management techniques that can help in planning and improve the availability of organizations’ critical business processes. Unfortunately, these methodologies usually contain only the theoretical foundations of business continuity and do not answer the main question: "How can you verify that your Business Continuity Plan will work when a real threat occurs?"

When thinking about security, businesses should assume that at some point things may get bad. That is why, it is important to review and test business continuity planning (BCP) procedures on a regular basis to ensure they meet current business needs and can operate during a disaster.

PCI DSS Compliance For Your Business

When creating a system for a customer, software development firms should always include instructions on how to respond to various scenarios. It is not necessarily a hacker attack. It could be a problem with the cloud or something else. The recent situation with the COVID-19 outbreak showed that not every company is ready to continue its usual business operations remotely. Many companies were not sure how to connect to corporate networks, protect laptops, or encrypt hard drives. The situation could have been better if there was a list of reference controls with the statuses of their implementation and an indication of the ones that are always on, and which ones are enabled in the disaster recovery mode.

BCP Testing: Tabletop Exercise

One of the most effective ways of BCP testing is a tabletop exercise. This informal brainstorming session brings business leaders and other key employees together and should reflect real life situations and attacks. When choosing scenarios for a business continuity tabletop exercise, the secret is to avoid including all possible threats, while making these scenarios specific to your business.

It is important to pay attention to communication protocols since in the case of most disruptive events, your employees need to know who should call whom and how. Alternative communication channels must be established prior to failure, tested for security and compliance, and known for employees. In the case of a disaster, it is possible to use backup telephone and audio-conferencing channels, Yammer groups, Teams groups, internal service health dashboards, and internal incident management software.

Most Common Cybersecurity Vulnerabilities for Corporate Travel

The tabletop scenarios can vary from «data center out of service» to «political conflict» and «office intrusion.» Tabletop exercises can be customized to your organization’s needs, geography, and industry. Each team member is focused on the response and recovery skills. They review their planned steps for each disaster scenario and identify possible weaknesses and ways to correct them. Afterward, the updated plan is circulated to the appropriate staff. At each stage of the tabletop exercise, several new employees are invited into the testing team to identify gaps that experienced team members may have missed. It is always a good idea to ask for employees’ feedback on the business continuity plan before conducting a review.

It is worth noting that the tabletop exercise for a business continuity plan should be actively supported by the company’s management. Unfortunately, that is not always the case. There are several arguments that can help motivate top management at a company to participate in testing:

• The test scenario should correspond to the level of the manager’s tasks. These events include those affecting VIP clients, appearing on the pages of the media, decrease of the company’s income, changes in legislation, and government decisions.
• Good preparation and good preliminary analysis are essential in management testing. The scenario and behaviors must be realistic. In a real incident, information is never presented in its final form. The scenario should also be unexpected: for example, it is clear how to act in the event of a fire, but the response to a confidential data leak is more unexpected. That means that the second option should get more attention.
• Top management prefers facts and numbers. They will be interested in two types of stories: ones with negative outcomes for the businesses that have not ensured business continuity, or facts about competitors that went out of business due to the lack of a well-tested plan.
• Finally, the approach «I will wait while others are fighting the crisis» is unacceptable for a leader. With this attitude, it is hard to expect enthusiasm or a good response from employees.

All in all, comprehensive business continuity scenarios help protect data, engage customers, and reduce overall operating costs. A well-tested business continuity plan minimizes downtime and improves corporate crisis management capabilities.

Is Generative AI Actually Ready for Finance? Key Webinar Takeaways

AWS Security Hub in Financial Services: An Integral Tool for Improving Security Posture & Boosting InfoSec

Video Conferencing Security Challenges and Ways to Address Them

Ultimate Guide to AWS Security Audit

Travel and Hospitality Companies Budgeting for IT: 4 Trends to Keep in Mind in 2023

An Existential Threat to the Nascent Art Market for NFTs

Seven Levels of Data Security to Protect Your Business

Disrupting the Ransomware Kill Chain

Cloud Computing Fundamentals and Strategies for Migration, Security, and Cost Optimization

Asset and Wealth Management Trends to Unfold in 2021

By using our site, you acknowledge that you have read and understand our Privacy and Cookie Policy .

All trademarks listed on this website are the property of their respective owners. All rights reserved.

Copyright © 2023 DataArt