BCR-10: Response Plan Exercise

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Exercise the disaster response plan annually or upon significant changes, including if possible local emergency authorities.

Implementation Guidance

The plan should be executed at regular intervals based on the organization’s BIA. It should be performed as a tabletop exercise and incorporate an annual live event with local authorities (e.g., fire departments, health officials, police departments, anti-terrorist organizations, and anti-cybercrime groups). Depending on regulatory requirements, the business, and the industry, a disaster recovery (DR) exercise might be required. For example, financial institutions may consider running live on DR for extended periods or simulate component or partial failures to test overall organizational resiliency and recovery abilities.

Auditing Guidance

  1. Examine the policy for planning and scheduling disaster response exercises, and involving local emergency authorities, if possible.
  2. Evaluate if plans are tested upon significant changes, or at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.