How to perform business continuity exercising and testing according to ISO 22301

Exercising and testing of business continuity plans is quite a controversial topic – some people say that it costs too much, while others maintain that it has no purpose because they cannot perform the full testing, anyway.

Well, both of these might be true, but the fact is: without exercising and testing, your company would never be able to survive a real disaster.

The purpose of exercising and testing

One of the main differences between information security and business continuity is that smaller incidents related to security of information do happen, and once they do, they offer an excellent opportunity to learn where the system was lacking and how to react better the next time. Luckily, disruptive incidents do not happen so often, but sadly, this means there is usually no opportunity for improving the business continuity.

What does this mean? This means your business continuity plans are wrong – no matter how well you try to write them, it is simply impossible to foresee everything up front. This is why a way around had to be found, and this is where exercising and testing fills this gap: the primary reason is to simulate a (more or less) realistic situation in order to find what doesn’t work in your business continuity. In other words, when you lack real incidents, you create simulated ones to be able to improve your plans.


Ways of performing exercising and testing

If you thought that your testing must include the unannounced shutdown of power, you were wrong – this is only one of the methods available, and certainly not the first one to be performed.

Essentially, these are the methods that can be used for exercising and testing (starting from simpler to more complex):

  • Orientation seminar – basically, this is more of a training where the details of the plans are explained to all participants; conducted with all necessary employees, suppliers, and the moderator.
  • Desk check – checking the plans by means of auditing, validation, and verification techniques; conducted with plan author and moderator.
  • Plan walkthrough – checking the plans by means of team interaction; conducted with the main plan participants and the moderator, whose interaction is tested in a joint meeting.
  • Functional testing – testing all interrelated plans for selected activities (including supplier procedures) with real resources in a controlled (announced) exercise; all necessary employees, suppliers, the moderator and observers take part.
  • Full testing – all activities are relocated from the original site to the alternative site (announced or unannounced); all necessary employees, suppliers, the moderator, observers, and auditors take part.

As a rule of thumb, you should begin with the easiest method, and each year you should take a step forward and go with the more difficult method.

How to prepare

Since exercising and testing are extremely important, and might influence the daily operations of your company, the decisions about the method, scope, objectives, and timing should be made by the top management. Of course, before you make such a proposal to your top management, you should consult about these topics with the department heads, especially with the head of the IT department.

Also, your management must decide how often the exercising and testing are performed – usually this is once a year, but it has to be more often if some bigger changes have happened – e.g., new technology was implemented, new processes or products were offered, etc. You must take care that, in time, the whole BCMS scope is being tested and exercised, including the interested parties.

Who to include

The preparation and coordination of exercising and testing is usually done by the person who is in charge of the business continuity. Normally, all the employees from the departments that are included in the exercising and testing should take part in it.

The Business continuity coordinator should prepare the Testing and exercising plan where, amongst other things, he would define all the objectives for the testing – e.g., it should show whether the activities would be recovered within the recovery time objective (RTO), whether all the employees know their roles, etc.

Once the exercising and testing is performed, the person who coordinates business continuity must review the results and compare them with the objectives that were set, and report about them to the top management.

Is there an alternative?

So yes, exercising and testing cost money (but very often not as much money as you would have imagined); and yes, in most cases you wouldn’t be able to perform the full testing (but you will be able to test all the parts of business continuity separately).

But, is there an alternative to find out what is not working? No, there isn’t. This is the only way to avoid nasty surprises in a situation where you will have enough surprises already.

This article is an excerpt from the book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation – click here to see a book free preview.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.