BCM-006 BCM and DR Testing
Description
Business continuity and disaster recovery plans are exercised at least annually using tabletop exercises, functional tests, or full simulation. Test scenarios cover the most likely disruptive events (e.g., availability zone failure, ransomware, key personnel unavailability). Results are documented, lessons learned are captured, and plans are updated accordingly.
Rationale
Plans that are never tested contain untested assumptions. Regular exercises expose gaps in procedures, tooling, and team readiness before a real event.
Framework Mappings (5)
| BCR-06 | Business Continuity Exercises | full |
| BCR-10 | Response Plan Exercise | full |
| 5.30 | ICT readiness for business continuity | partial |
| CP-4 | Contingency Plan Testing | full |
| A1.3 | Recovery Plan Testing | full |
Evidence (2)
BCM/DR exercise record documenting the test scenario, participants, findings, and lessons learned from the most recent tabletop, functional, or full simulation exercise.
Example: DR test report or BCM exercise after-action report (dated, within the last 12 months) showing scenario description, participant list, timeline of events, issues identified, and corrective actions raised
Test: Request the BCM/DR exercise record for the last two annual exercises. Verify: (1) exercises were conducted within the required frequency; (2) scenarios covered at least one realistic disruption type (e.g., AZ failure, ransomware, key personnel loss); (3) participants included personnel with defined response roles; (4) findings and lessons learned are documented; (5) corrective actions have been assigned and tracked.
Post-exercise lessons learned report showing corrective actions raised and tracked following the most recent BCM/DR exercise.
Example: Post-exercise improvement register or Jira/equivalent backlog showing issues identified during the exercise, assigned owners, target remediation dates, and current status
Test: Request the post-exercise lessons learned report and the corrective action register. Verify: (1) all significant findings from the exercise are in the register; (2) each finding has an assigned owner and due date; (3) actions from the prior exercise cycle were completed before the next exercise; (4) completed actions resulted in an update to the BCP, DRP, or related procedures.
Questions (2)
Are business continuity and disaster recovery plans exercised at least annually using tabletop exercises, functional tests, or full simulation, with results documented and plans updated accordingly?
Exercises should include personnel with defined response roles. Lessons learned must be captured and result in updates to the BCP, DRP, or related procedures.
What type of BCM/DR exercise was most recently conducted, and when?
A tabletop exercise is the minimum acceptable exercise type. A full simulation or live failover test provides the strongest evidence of plan effectiveness.