Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

15) Does your organisation have a programme in place to regularly rehearse and maintain your Business Continuity and Disaster Recovery plans?

January 30, 2023
Business Resilience
Plan Rehearsal
Business Continuity Practice

Answer yes if your organisation runs rehearsal of its Business Continuity and Disaster Recovery plans at least annually involving all parties, including senior operational leaders. Please provide a report (as a PDF file) that details the last two tests to take place. In the notes section, please describe the nature of the exercises (e.g. desktop exercises, partial or whole practical/technical service restoration and recovery) and who was involved. Please also describe the outcome of the rehearsals, e.g. plans have been updated and re-issued with all material findings addressed.

An organisational Business Continuity Plan (BCP) and its included Disaster Recovery (DR) plan cannot be considered reliable until they have been rehearsed and proven to be robust and deployable. They should be rehearsed at least once a year and also as an interim event when there have been significant changes in business scope, context or operational technologies.

How to implement the control

We recommend that all companies with a Business Continuity Plan run a test of the plan (including its Disaster Recovery plan) at least annually.

If your organisation is large you could implement a structured approach that may include:

  • dividing the test into smaller operational unit tests,
  • desktop exercises to walk through crisis situation scenarios,
  • technical exercises in IT environments segregated from normal business operations,
  • unannounced ‘fire drills’ to mobilise resources to specific test scenarios.

The details of Business Continuity Plan tests, actions, and learning points arising should be documented as part of the test activity. Any material changes arising from the experience should be formally confirmed by the plan owner as implemented within an updated plan.

Maintenance of the plan should also include changes related to past incidents (from experience and root cause analyses) and any significant changes in business scope, context (including legal and regulatory changes) or operational technologies.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.