Management uses tests to verify the quantifiable performance and reliability of system resilience. The goal of testing is to determine whether system resilience conforms to the BCP and stated recovery objectives. Test methodologies and frequencies should align with the risk associated with the business function as well as the entity’s testing strategies and objectives. Management should clearly define the characteristics of a successful test, which may include the following:
- Validating RPOs, RTOs, and MTDs.
- Demonstrating recoverability at peak volumes.
- Confirming that systems can support critical business processes (e.g., transfer to alternate sites, increased workloads, manual workarounds, and communication).
- Integrating technologies that support critical business activities, including data replication, recovery, and off-site storage.
- Testing backup data to assess integrity and availability.
- Certifying facility controls (e.g., environmental, backup power, and physical security).
- Verifying workspace restoration (e.g., network connectivity and communications).
VII.G.3 Tabletop Exercise
VII.H Industry Exercises and Resilience