Which testing should an IS auditor recommend be perform…

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for
years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been
performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the
adequacy of the new BCP?

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for
years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been
performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the
adequacy of the new BCP?

A.
Full-scale test with relocation of all departments, including IT, to the contingency site

B.
Walk-through test of a series of predefined scenarios with all critical personnel involved

C.
IT disaster recovery test with business departments involved in testing the critical applications

D.
Functional test of a scenario with limited IT involvement

Explanation:
After a tabletop exercise has been performed, the next step would be a functional test, which includes the
mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the IT part
of the recovery has been tested for years, it would be more efficient to verify and optimize the business
continuity plan (BCP) before actually involving IT in a full-scale test. The full-scale test would be the last step of
the verification process before entering into a regular annual testing schedule. A full-scale test in the situation
described might fail because it would be the first time that the plan is actually exercised, and a number of
resources (including IT) and time would be wasted. The walk-through test is the most basic type of testing. Its
intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its
adequacy. The recovery of applications should always be verified and approved by the business instead of
being purely IT-driven. A disaster recovery test would not help in verifying the administrative and organizational
parts of the BCP which are not IT-related.



Leave a Reply 0

Your email address will not be published. Required fields are marked *