Hello.
Test the critical parts of the business (i.e., processes and activities) against the identified significant threats to the organization. The frequency depends on the process being tested, the scenario, the resources required, requirements from contractual, legal or regulatory entities. Tests should add value and confidence through out the supply chain.
Richard