Prev Question
Next Question

A medium-sized organization, whose IT disaster recovery measures have been in place and
regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP
tabletop exercise has been performed successfully. Which testing should an IS auditor recommend
be performed NEXT to verify the adequacy of the new BCP?

Full-scale test with relocation of all departments, including IT, to the contingency site

Walk-through test of a series of predefined scenarios with all critical personnel involved

IT disaster recovery test with business departments involved in testing the critical applications

Functional test of a scenario with limited IT involvement

After a tabletop exercise has been performed, the next step would be a functional test, which
includes the mobilization of staff to exercise the administrative and organizational functions of a
recovery. Since the IT part of the recovery has been tested for years, it would be more efficient to
verify and optimize the business continuity plan (BCP) before actually involving IT in a full-scale
test. The full-scale test would be the last step of the verification process before entering into a

regular annual testing schedule. A full-scale test in the situation described might fail because it
would be the first time that the plan is actually exercised, and a number of resources (including IT)
and time would be wasted. The walk- through test is the most basic type of testing. Its intention is
to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its
adequacy. The recovery of applications should always be verified and approved by the business
instead of being purely IT-driven. A disaster recovery test would not help in verifying the
administrative and organizational parts of the BCP which are not IT-related.

Prev Question
Next Question

Leave a Reply

Your email address will not be published. Required fields are marked *