Can anyone provide input about business continuity event simulation testing they have used? We need to improve our ISO 27001 system testing practices and documentation related to this. Any input would help (feedback, references, whatever).
As background, ISO 27001 requires business continuity planning and also testing of the planning and functional preparations. In the past we have used different types of "testing" as functional reviews and evidence:
-IT systems recovery testing, generally related to contracted customer requirements
-planned down-time as a functional test of power back-up systems
-fire drill practice as a test of emergency response planning (we didn't document as a "BCP test," but it relates)
-desk-top tests to review other planning (a meeting).
Our auditors would prefer to see simulation testing, that we set up a scenario and test responses to this event as a run-through. It's not as easy as it sounds. How do you really simulate a flood?
The basics are obvious enough, the actual practice something else. You write out a scenario and then set aside a time and staff to conduct a response drill. Most critical is having the scenario and test conditions clearly spelled out and having observers to document what is happening as results, so later you can assess the success or failure of planning and event responses.
The reason we haven't done this is because we're not certified to a business continuity standard, only 27001, so it's not clearly required (testing is, not the form of it), and because it's not simple.
Thanks in advance for input.
As background, ISO 27001 requires business continuity planning and also testing of the planning and functional preparations. In the past we have used different types of "testing" as functional reviews and evidence:
-IT systems recovery testing, generally related to contracted customer requirements
-planned down-time as a functional test of power back-up systems
-fire drill practice as a test of emergency response planning (we didn't document as a "BCP test," but it relates)
-desk-top tests to review other planning (a meeting).
Our auditors would prefer to see simulation testing, that we set up a scenario and test responses to this event as a run-through. It's not as easy as it sounds. How do you really simulate a flood?
The basics are obvious enough, the actual practice something else. You write out a scenario and then set aside a time and staff to conduct a response drill. Most critical is having the scenario and test conditions clearly spelled out and having observers to document what is happening as results, so later you can assess the success or failure of planning and event responses.
The reason we haven't done this is because we're not certified to a business continuity standard, only 27001, so it's not clearly required (testing is, not the form of it), and because it's not simple.
Thanks in advance for input.