VII.E Exercise and Test Plans
Plans address the objectives and expectations of the exercise or test and outline the scenario and any assumptions or constraints that may exist. Exercises and test plans should include metrics to assess whether objectives are met. Plans should identify roles and responsibilities for participants, support personnel, and observers.For the purposes of this booklet, the term “observers” does not constitute an independent review or audit function. Exercise and test plans should be commensurate with the nature, scale, and complexity of the recovery objectives.
Management should receive and review third-party service provider exercise results, regardless of the entity’s extent of participation. Management should consider the scope and results of these exercises in the entity’s BCP. Management should evaluate third-party service providers’ resilience and ability to recover critical services used by the entity if an event occurs. Refer to the IT Handbook’s “Outsourcing Technology Services” booklet for additional information.
Test plans generally include the following:
- Roles and responsibilities for all test participants, including support personnel.
- A consolidated exercise and test schedule that encompasses all objectives.
- A specific description of objectives and methods.
- Identification of decision makers and succession plans.
- Exercise and test locations.
- Exercise and test escalation procedures and the ability to adjust for simulated scenarios.
- Contact information.
- Metrics to measure the success or failure of the exercise or test.
Management should review the exercise and test results, update the BCP where appropriate, and report the results to the board or board-designated committee. Suggestions for improving test scenarios, plans, or scripts provided by test participants should be incorporated into the testing cycle, where appropriate.
VII.D Exercise and Test Objectives
VII.F Exercise and Test Scenarios