Developing and Delivering a BCP Test

The overarching purpose of a BCP test plan is to provide reasonable assurance that your business continuity plan, or specific aspects of it, will work as expected during a real crisis. 

 

Creating and conducting an effective BCP test requires an amount of preparation and planning to ensure that the test is meaningful and covers the appropriate scope. Any BCP test will require that the following are in place

BCP test objectives - these will  define the aim of the test and the specific assurances to be obtained

There are different types of BCP test which differ in both scope and level of realism that you want to achieve. These types of BCP test range from straightforward plan reviews, desktop walkthroughs to incident simulations

Test Objectives

Types of BCP Test

BCP Test Scenario

A BCP test scenario or type of incident. Except for the most simple of reviews it is helpful for a BCP test to be based on a particular type of incident or scenario, such as a failure of IT systems or unavailability of the work place. Basing the BCP test on a specific type of scenario adds a level of reality and focus to the activity

Disaster Recovery Test

A disaster recovery plan test which ensures that you can effectively restore specific operational capabilities after a particular type of incident (a power failure, for instance)

BCP Test Plan

A disaster recovery plan test which ensures that you can effectively restore specific operational capabilities after a particular type of incident (a power failure, for instance)

Incident Simulation

For more advanced BCP tests a method of incident simulation to make the BCP test scenario "come alive"

BCP Test Feedback & Actions

For more advanced BCP tests a method of incident simulation to make the BCP test scenario "come alive"

BCP Test Schedule

A BCP test is not an ad hoc activity. Each type of BCP test has its merits and  an organisation's business continuity plan should be supported by a formal BCP testing schedule covering all types of test. 

A BCP test is not an ad hoc activity. Each type of BCP test has its merits and  an organisation's business continuity plan should be supported by a formal BCP testing schedule covering all types of test. 

Why perform a BCP test?

Regardless of which of the various types of BCP test you conduct (although every business continuity plan should be subject to more than one type of test) – every test  sets out to ensure that the business continuity plan remains relevant to the organisation and continues to support a set of common assumptions:

 

Structure & Competence of Incident and Recovery Management Teams

Are the response and recovery team(s)  complete and intact?  Are the members of the response teams still present within the organisation, do they understand their roles and responsibilities?

 

People will remember what to do

If there are specialised resources in place to support incident management and recovery management, are those responsible for operating them proficient in their use?

 

Communication works as expected

Fast and accurate communication is crucial to effective incident and recovery management. During a major operational disruption there will be significant and intense interaction both internally and externally. A BCP test will help to ensure that contact lists are up to date and that communication plans accurately reflect how the organization will communicate during a crisis.

 

Alternative workplace approaches remain relevant

‘Work from home’, is a popular solution. However, employees must be able to work from the location for an extended and possibly indeterminate period of time. We need to ensure that the circumstances of those who are designated to work from home have not changed. Have they moved to an area of reduced internet performance/availability, does the organisation have sufficient licenses for remote access software? Likewise, if a Work Area Recovery facility is used, any BCP test should ensure that it's facilities and accommodation capacity remain fit for purpose.

 

IT Infrastructure and applications recovery capabilities continue to work as planned.

Can we recover our critical applications and services within the required timeframe in terms of re-instatement of IT infrastructure and restoration of data?  A BCP test should also establish that recovery instructions and procedures remain relevant and effective.

 

Decisions are straightforward and are made in possession of perfect information

Business Continuity plans are often developed under the assumption that that perfect information is available at the time that incident is encountered.  This is rarely the case – information (and often, dis-information) comes through in a sporadic "drip-feed".  A BCP test should cater for this – but not all types of BCP test are suitable for this approach to testing.  Reviews and walkthroughs, for instance, cannot reproduce this type of situation with any degree of realism – incident impact assessment and subsequent decision making are best evaluated during an incident simulation

If you are ever asked "Why is a BCP Test important?"

Testing your plan, using one of the approaches we discussed here is the only way to be confident that your plan will work when it is needed. Many organisations do experience significant disruptions from one source or another as the list below illustrates