Testing The Business Continuity Plan

Published on : 06 Aug 2020

business continuity plan tips

Business Continuity Plan is a process of recovery and prevention systems for organizations to deal with an incident that could severely hamper business operations.  There is always a possibility that an organization’s critical business process comes to a standstill due to the impact of an unforeseen event that is beyond one’s control.  To deal with such incidents, it is best to be prepared for the worst. Organizations should have a recovery plan in place to ensure minimum impact or disruption of business operations and client servicing. However, simply creating a Business Continuity Plan will not protect one’s business. Organizations should have in place a solid BCP strategy that is not just well laid out but is also effective in implementation. So, once an organization develops a Business Continuity Plan it is crucial to test its effectiveness. Testing the Plan verifies the effectiveness of the strategy in place and trains responsible personnel for the real scenario. Moreover, the test helps identify areas of concern where the plan needs to be strengthened.

Objective of Testing a Business Continuity Plan

Testing of BCP strategy is not just about passing or failing, but ensuring there is constant improvement in the strategy implemented. Here are some reasons why running a strategic test is essential for an organization-

  • Identifying gaps/weaknesses in your Business Continuity Plan.
  • Validating and improving the BCP Strategy. 
  • Keeping all your BCP Strategy updated. 
  • Confirming that your continuity objectives are met
  • Evaluating the company’s response to various incidents. 
  • Improving systems and processes based on test findings
  • Demonstrating to your clients a higher degree of commitment.  
  • Satisfying compliance and regulator’s requirements. 
  • Helping reduce recovery time and cost.

Without testing the plan, one may put their business and stakeholders at great risk. 

How often should the company test its BCP?

While there is no hard-and-fast rule for determining how often an organization should test their Business Continuity Plan, there are certain guidelines that must be followed to ensure its effectiveness. Reviewing established Business Continuity Plans like Disaster Recovery, Incident Recovery, and Risk Management programs depends on threat scenarios that your organization identifies as high-risk and anticipate its frequent occurrence. While the number of tests to be conducted depends on the industry background, size and complexity, available resources, and BCP maturity levels, it is recommended that the tests are conducted twice a year for critical processes but at least minimum once a year. In some cases, it may not be feasible or logical to perform some of the tests frequently, so we suggest organizations to base their decision on their needs. Moreover, if your organization undergoes major changes in its processes, systems, or plan details, you may have to consider testing the performance more frequently.

Testing your Business Continuity Plan 

BCP Review

Once the organization develops an initial version of the BCP, the entire team responsible should review the plan. All the members should examine the plan in detail and, attempt to identify inconsistencies or issues that may have been overlooked during the process of development. The reviewing process should involve higher-level management and department heads to analyze and discuss potential improvements, and ensure contact information and recovery contracts are in place. The team should at least conduct a review on a quarterly basis to ensure it is effective. The focus of the review should be on identifying weak areas and accordingly implement measures to strengthen it. 

Incorporating different testing methods

1.Tabletop Exercise/ Test

Tabletop Test is a scenario-based role-play exercise conducted with an intention to discuss concrete plans for managing a simulated emergency situation systematically. The basic objective of conducting this test is to ensure all personnel responsible for actionable measures are aware of the relevant process and procedures pertaining to the BCP. The test typically involves discussion of one or more disaster scenarios, during which the potential response and procedures will be reviewed, and ensure responsibilities outlined are appropriately handled by concerned authorities. This will help organizations identify shortcomings in their set process and will ensure improvement.  

2.Walk-Through Drill/Simulation Test: 

Walkthrough Drill/Simulation Test is a rather practical version of the tabletop exercise. The test goes beyond talking about the process and actually gets the team out to conduct the recovery process. So, while a Tabletop Test involves sitting around the table discussing plan details, the Walk-Through/Simulation Test involves the team responding to a pretend disaster as stated and act as directed by the BCP. This would include restoring backups, live testing of redundant systems, and implementing other relevant processes. The test will involve validation of response, processes, systems, and resource mobilization. 

3.Full Recovery Test: 

A Full Recovery Test involves a complete process of practically running up the backup systems and processing transactions or data, considering the simulation as a real-life disaster. It is a functional test that checks how quickly a system can recover after a crash or failure. The test conducted is to ensure that that live and backup systems can run in conjunction assuring hassle-free transitioning of operations to your backup systems in case of a sudden system failure or crash. Organizations should review the effectiveness of their system recovery every time they release or upgrade their systems. Ideally, organizations should conduct BCP drills at least once/twice a year, including recovery testing, to make sure everyone involved is aware of their roles and responsibilities, and ensure smooth functioning of critical business operations when there is a failure or disaster.

Involve Vendors

During the course of the BCP, testing organizations should ensure their critical vendor partners are included in the process as much as possible. This will not only facilitate accuracy in testing but also lets your organization get valuable feedback from vendors about the current organization’s Business Continuity Plan and testing process. It will also facilitate possible suggestions for improvement from the Vendor. 

Post Test Report

Finally, the organization should document the results of the tests conducted with actionable findings of those tests. This is the most important part of the BCP testing process. The document should also have recommendations detailing key actions/ measures to be taken for improvement and building resilience. It should also contain considerations for the next annual/six-monthly reviews of your Business Continuity Planning. 

Post-Test Actionable Measures

  • The team involved in the BCP should diligently review the test findings. 
  • Take necessary measures and assign responsibilities for open action items. 
  • Update and distribute the written plan to concerned members. 
  • Identify and list out items for consideration in the next annual/six monthly tests.

How can VISTA InfoSec help Organizations with BCP?

Organizations are constantly under the risk or threat of damage or disruption caused by an unforeseen event. Implementing actionable measures to prevent the impact of an unexpected incident is extremely challenging. So, to help organizations build an effective Business Continuity Plan and ensure it works, we at VISTA InfoSec offer Advisory services based on our years of industry experience and knowledge on various standards for Business Continuity Planning such as ISO 22301. VISTA InfoSec has been a part of the Information Security industry for the past 16 years. Knowing the in’s and out of the industry makes our team highly proficient and capable professionals to assist clients with their Business Continuity Plans. Our highly integrated solutions and advisory services help businesses develop a solid BCP that assure to stand to the test of times and help clients quickly recover from the incident. Our testing and training programs help create awareness and enable organizations to efficiently deal with the incident. Availing our BCP services includes- 

Prior to an Incident – Our team shall help organizations manage and develop emergency action plans, and provide training with supportive expert content for guidance. 

During an incident – In case of an incident occurring, our team shall help the organization recover faster by providing the necessary assistance in terms of implementing their Disaster recovery plan and incident management plan along with testing, office space, and suggesting immediate remediation.  

Post an Incident Occurrence –Our team will ensure quick recovery of your business in terms of making it fully operational and preparing them to withstand the impact. We offer complete support and guidance throughout the process and ensure minimum impact and least exposure to more vulnerabilities. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.