BCP Test: Reviews & Walkthroughs
A review or walkthrough approach to performing a BCP test is the most common and basic forms of BCP test. They are simpler to perform and require less planning than an incident simulation, but the trade-off is reduced assurance levels.
A BCP test based on a review approach involves little more than checking the plan for factual accuracy of the plan content and ensuring that it aligns with current needs and requirements. Issues such as correct contact lists and contact information and that designated role holders are still in position are the primary considerations. This can be a helpful “sanity check” of the plan and can help to confirm that overall requirements (such as work area recovery site accommodation) remain accurate.
A BCP test based on a plan review approach provides some assurance that the content of the plan is factually correct. However, it provide no assurance that those identified as key role holders understand their roles and their relationships with others in the response and recovery organisation,
A BCP test based on a walkthrough approach establishes further assurance of the business continuity plan effectiveness by looking beyond the content to draw conclusions regarding the effectiveness of the plan and the people who will be executing it. In this context a walkthrough test seeks to establish that participants and plan owners are aware of interdependencies and relationships with other parts of the response and recovery organisation and are likely to work cohesively as a team. In addition, participants knowledge of the plan and their individual roles is sufficiently well developed to ensure that the defined recovery priorities will be addressed and that they will take the correct actions related to impact assessment, invocation and escalation. A BCP test based on walkthrough approach therefore gives assurance on the proficiency of the people who will execute the plan if it is invoked and their knowledge of their inter-relationships with the rest of the response and recovery organisation.
A BCP test based on a walkthrough approach will not provide any assurance that the organisations intrinsic recovery capabilities are robust and relevant for the organisations needs A walkthrough test will not provide assurance in terms of IT systems recovery capabilities, telephony switching and whether communications strategies will work as expected.
Both types of BCP test will benefit from the provision and use of checklists to ensure standardisation of the scope of the evaluation. here is an example of a BCP Review Checklist
RiskCentric provide a range of services to support the design and execution of BCP tests