BCR-06: Business Continuity Exercises

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: BCR-02: Business Continuity Testing.

Control Statement

Exercise and test business continuity and operational resilience plans at least annually or upon significant changes.

Implementation Guidance

Exercise and test business continuity and operational resilience plans at least annually or upon significant changes. Exercises and tests should include but are not limited to:

  1. Processes established in the business continuity plan.

b Alignment with business continuity policies.

  1. Critical systems and equipment relevant to the business continuity plan.
  2. Roles and responsibilities of the various parties involved in the exercises.
  3. The use of CSP support mechanisms in CSC exercises.
  4. A review and update of communication templates.
  5. Lessons learned from previous events and exercises.
  6. Tabletop exercises.

Depending on the level of CSP maturity, the CSP’s practices may include automated chaos testing.

Auditing Guidance

  1. Examine the plans for business continuity and operational resilience tests, with reference to their intended outputs.
  2. Examine the schedules of such tests and their periodicity.
  3. Evaluate if the plans are tested upon significant changes, or at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.