Business Continuity Plan (BCP) Testing
What is a BCP (Business Continuity Plan)
Effective business continuity plan testing must employ a strategy across multiple scenarios and for various potential uncontrollable events. There would require to be an evaluation of crisis management and how an organization implements disaster recovery as part of the scenarios agreed within the BCP test. When a BCP is tested we need to ensure business continuity is understood by key team members across all locations.
The BCP strategies require to be reviewed for effectiveness and when carried out are deemed so far as reasonably practicable to be suitable and sufficient to mitigate and manage risk. BCP testing will involve a number of exercises and simulation tests to mimic the effects of the crisis. This is done with the involvement of the organizations team to ensure that they can handle an emerging crisis understand the process, and encompass a number of different situational scenarios to check for readiness across small and large scale events such as power outage or a cyber-attack.
What is it all about?
Every BCP ‘business continuity plan’ should be subject to testing. Each test ensures relevancy to the organization and its operations, its functions and the criticality of its infrastructure, response and dynamics across its locations.
Commonly we implement ISO 22301 alongside standards such as ISO 27001. With every ISO 27001 implementation, we offer an added service and solution to BCP testing.
Incident recovery teams, their understanding of their role with the BCP, what is required of them and the necessary action they need to take.
We need to factor in the organization recovery teams understanding and knowledge of the BCP. We must consider what they understand to be their roles and responsibilities in alignment with the BCP, their response and recovery time and if any member of the response team has left the organization or no longer has their role assigned. What are the resource GAPs and the competency GAPs?
As part of the testing process we need to consider what specialist and significant resources are available to support incident and recovery. There should be a test of individuals tasked with response in proficiency of process, competency and understanding of incident management and recovery.
Internal & external communication, consultation & participation
Accuracy and speed of communication is vital both internally & externally to the organization where necessary to ensure effective and efficient incident management and recovery. Part of BCP testing includes the checking of key contacts and that their details remain current. A full risk based communication plan for crisis management is tested and should be reflected as up to date which can be easily enacted during a crisis.
Did you know we need to consider all workplace environments as part of BCP testing?
This includes ‘working from home’ and ‘hot desking’ – All new working world environments!
Global & local IT infrastructure and applications recovery capabilities continue to work as planned.
An organizations BCP plan, procedures and recovery processes are tested for relevance and effectiveness across all locations. The efficiency of the recovery & re-instatement of critical data and applications within a designated timeframe are also GAP sampled.
BCP performance and evaluation is carried out for effectiveness and efficiency through incident simulation and the assessing of the impact of the incident response, the effective containment and corrective measures employed as well as the understanding of the processes to be followed, communicated and actioned.
BCP Testing Scenarios
Scenarios based on potential events and their relevance, provide realistic challenges for the organization disaster recovery team. The stress of the event and how the team follow the BCP process and procedures under pressure can be monitored and measured for effectiveness with any GAPs realised allowing for continual improvement to be implemented. This also allows for root cause, correction (what we do about the issue immediately) and corrective action (what action we take to prevent recurrence) to be applied.
We first need to decide on the scenarios, what locations are involved and the impact criticality.
Below are some examples of BCP test scenarios:
Loss of access to buildings (examples):
- Power Outage / Failure.
- Mains Gas Leak.
- Fire / Flood.
- Terrorist Attack / Employee Hack.
- Legionella Outbreak.
- Infrastructure Damage (accidental / weather / earthquake).
People impact (examples):
- Disease X.
- Sabotage.
- Road, Rail and Air Strikes.
- Employee Strike.
- Hostage Event.
Critical infrastructure impact (examples):
- Power Outage / Failure.
- Hardware / Software Failure.
- Cyber Attack.
- Phishing Attack.
- Hard Wire Failure.
- External & Internal Communication Failure.
Some of the scenarios can lead to more than one impact which would form part of the BCP test plan and objectives.
How can we help?
Our team deliver BCP testing across multiple locations for our clients Globally.
We capture lessons learned from the testing, allowing your organization to continually improve your BCP. We capture suggestions for improvement from key team members involved, our observations and factor in to our report the output of the test scenario results including key action points for improvement.
What does our support look like?
Our Intu Veritas team have a wealth of knowledge and experience in Business Continuity Planning, BCP testing and the implementation of ISO 22301.
- We will carry out a GAP sample of BCP testing across agreed associated locations in the scope of the test.
- We can implement ISO 22301 which is the main driver for organizational business continuity planning.
- Our team will provide a BCP test plan and set the BCP test objectives with you and agree the format across locations.
- A BCP test report will be prepared detailing the capture of results and provide suggestions for improvement of the overall organization BCP.
There is so much more that our team can support your organization with.