{"id":4422,"date":"2015-02-02T20:18:50","date_gmt":"2015-02-02T20:18:50","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/015\/02\/02\/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301\/"},"modified":"2025-07-10T09:47:26","modified_gmt":"2025-07-10T09:47:26","slug":"how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2015\/02\/02\/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301\/","title":{"rendered":"How to perform business continuity exercising and testing according to ISO 22301"},"content":{"rendered":"<p>Exercising and testing of <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/?rel=business-continuity&amp;doc=business-continuity-plan\" target=\"_blank\" rel=\"noopener\">business continuity plans<\/a> is quite a controversial topic \u2013 some people say that it costs too much, while others maintain that it has no purpose because they cannot perform the full testing, anyway.<\/p>\n<p>Well, both of these might be true, but the fact is: without exercising and testing, your company would never be able to survive a real disaster.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">The purpose of exercising and testing<\/h2>\n<p>One of the main differences between information security and business continuity is that smaller incidents related to security of information do happen, and once they do, they offer an excellent opportunity to learn where the system was lacking and how to react better the next time. Luckily, disruptive incidents do not happen so often, but sadly, this means there is usually no opportunity for improving the business continuity.<\/p>\n<p>What does this mean? This means your business continuity plans\u00a0are wrong \u2013 no matter how well you try to write them, it is simply impossible to foresee everything up front. This is why a way around had to be found, and this is where exercising and testing\u00a0fills this gap: the primary reason is to simulate a (more or less) realistic situation in order to find what doesn\u2019t work in your business continuity. In other words, when you lack real incidents, you create simulated ones to be able to improve your plans.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Ways of performing exercising and testing<\/h2>\n<p>If you thought that your testing\u00a0must include the unannounced shutdown of power, you were wrong \u2013 this is only one of the methods available, and certainly not the first one to be performed.<\/p>\n<p>Essentially, these are the methods that can be used for exercising and testing\u00a0(starting from simpler to more complex):<\/p>\n<ul>\n<li><strong>Orientation seminar<\/strong> \u2013 basically, this is more of a training\u00a0where the details of the plans are explained to all participants; conducted with all necessary employees, suppliers,\u00a0and the moderator.<\/li>\n<li><strong>Desk check<\/strong> \u2013 checking the plans by means of auditing, validation, and verification techniques; conducted with plan author and moderator.<\/li>\n<li><strong>Plan walkthrough<\/strong> \u2013 checking the plans by means of team interaction; conducted with the main plan participants and the moderator, whose interaction is tested in a joint meeting.<\/li>\n<li><strong>Functional testing<\/strong>\u00a0\u2013 testing\u00a0all interrelated plans for selected activities\u00a0(including supplier procedures) with real resources\u00a0in a controlled (announced) exercise; all necessary employees, suppliers, the moderator and observers take part.<\/li>\n<li><strong>Full testing<\/strong>\u00a0\u2013 all activities\u00a0are relocated from the original site to the alternative site\u00a0(announced or unannounced); all necessary employees, suppliers, the moderator, observers, and auditors take part.<\/li>\n<\/ul>\n<p>As a rule of thumb, you should begin with the easiest method, and each year you should take a step forward and go with the more difficult method.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">How to prepare<\/h2>\n<p>Since exercising and testing\u00a0are extremely important, and might influence the daily operations of your company, the decisions about the method, scope, objectives,\u00a0and timing should be made by the top management. Of course, before you make such a proposal to your top management, you should consult about these topics with the department heads, especially with the head of the IT department.<\/p>\n<p>Also, your management must decide how often the exercising and testing\u00a0are performed \u2013 usually this is once a year, but it has to be more often if some bigger changes have happened \u2013 e.g., new technology was implemented, new processes or products were offered, etc. You must take care that, in time, the whole BCMS\u00a0scope\u00a0is being tested and exercised, including the interested parties.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Who to include<\/h2>\n<p>The preparation and coordination of exercising and testing is usually done by the person who is in charge of the business continuity. Normally, all the employees from the departments that are included in the exercising and testing should take part in it.<\/p>\n<p>The Business continuity coordinator should prepare the <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/?rel=business-continuity&amp;doc=exercising-and-testing-plan\" target=\"_blank\" rel=\"noopener\">Testing and exercising plan<\/a>\u00a0where, amongst other things, he would define all the objectives for the testing \u2013 e.g., it should show whether the activities would be recovered within the recovery time objective (RTO), whether all the employees know their roles, etc.<\/p>\n<p>Once the exercising and testing\u00a0is performed, the person who coordinates business continuity must review the results and compare them with the objectives\u00a0that were set, and report about them to the top management.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Is there an alternative?<\/h2>\n<p>So yes, exercising and testing cost money (but very often not as much money as you would have imagined); and yes, in most cases you wouldn\u2019t be able to perform the full testing (but you will be able to test all the parts of business continuity separately).<\/p>\n<p>But, is there an alternative to find out what is not working? No, there isn\u2019t. This is the only way to avoid nasty surprises in a situation where you will have enough surprises already.<\/p>\n<p><em>To implement ISO 22301 easily and efficiently, use our<\/em>\u00a0<a href=\"https:\/\/advisera.com\/27001academy\/iso22301-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 22301 Documentation Toolkit<\/a>\u00a0<em>that provides step-by-step guidance and all documents for full ISO 22301 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exercising and testing of business continuity plans is quite a controversial topic \u2013 some people say that it costs too much, while others maintain that it has no purpose because they cannot perform the full testing, anyway. Well, both of these might be true, but the fact is: without exercising and testing, your company would &#8230;<\/p>\n","protected":false},"author":26,"featured_media":83010,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[378,380,489],"class_list":["post-4422","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-business-continuity","tag-iso-22301","tag-exercising-and-testing"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4422"}],"version-history":[{"count":3,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4422\/revisions"}],"predecessor-version":[{"id":104347,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4422\/revisions\/104347"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/83010"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}