Businesses are expected to put their business continuity and incident response plans to the test. But what does that mean exactly? If the whole concept of exercises and tests is a bit murky, you've come to the right place. In this article, we'll answer some frequently asked questions, like:
- What are exercises and tests?
- What's the difference between an exercise and a test?
- What are the most common exercise methods?
- How often should I perform exercises and tests?
- Can I conduct BCP and IRP exercises at the same time?
- Could an unplanned event count as an exercise or test?
What are exercises and tests?
In simplest form, exercises and tests are how you make sure your plans are ready. It's a validation process. Whether you're preparing for a business disruption or an incident of some kind, your business continuity plans (BCPs) and incident response plans (IRPs) will be most effective if they've been tried.
Think of it like playing a sport. If you play a sport, you probably didn't just sign up and run out onto the field or court expecting to be the best. Being good at something takes time, effort, conditioning, and lots of practice.
Exercises and tests are the practice field for your BCPs and IRPs. It's important to practice so you can be prepared for the real thing.
What's the difference between an exercise and a test?
It's all connected, really. According to the FFIEC Business Continuity Management (BCM) booklet:
"An exercise is a task or activity involving people and processes that is designed to validate one or more aspects of the [plan] or related procedures. […] A test is a type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment." |
In other words, all tests are exercises, but not all exercises are tests.
What are the most common exercise methods?
The FFIEC talks about four exercise methods. Let's break each of them down:
- Full-Scale Exercises are the most comprehensive and resource intensive form of exercise, often involving multiple interconnected departments and systems. These exercises give you the best look into your plan's readiness, but they also require a lot more commitment. For example, if you decided to shut down a vital system for a couple hours, that would be considered a full-scale exercise. For more info, see the FFIEC BCM Booklet, Section VII.G.1 Full-Scale Exercise.
- Limited-Scale Exercises are narrower in scope and focus on specific personnel or systems. When you limit the scale of an exercise to a single role or department you get a detailed look at how individuals understand and enact the plan. For example, if you decided to take away access to the accounting department's payroll software, that would be considered a limited-scale exercise. For more info, see the FFIEC BCM Booklet, Section VII.G.2 Limited-Scale Exercise.
- Tabletop Exercises are very popular. These exercises involve gathering individuals to discuss a scenario, often around a table. These exercises are non-intrusive and are excellent for familiarizing people with their duties. For example, if you hosted a discussion on how the business would respond to ransomware, that would be considered a tabletop exercise. For more info, see the FFIEC BCM Booklet, Section VII.G.3 Tabletop Exercise.
- Tests are quantifiable exercises. These exercises involve certifying specific data points, performing measurable actions, and validating expected behaviors. For example, if you decided to restore certain data from a backup within a specific window of time, that would be considered a test. For more info, see the FFIEC BCM Booklet, Section VII.G.4 Tests.
Each testing method has unique benefits and challenges, so it is important to pick the ones that offer the best value for the investment. Most organizations find tabletop exercises to be the choice that gives the most value with minimal cost.
How often should I perform exercises and tests?
It depends. Most organizations try to perform exercises of their BCP and IRP at least annually. However, this can vary based on business needs (e.g., changes in technology, risk exposure, personnel, etc.). An ideal process would be to layer several tests throughout the year to ensure wide coverage and deep knowledge of the plans.
Tip: Make sure this is defined as part of your BCP and IRP in your "Exercise & Test Program." By doing so, you can get an exercise and test frequency approved by the Board of Directors and senior management.
Can I conduct BCP and IRP exercises at the same time?
Perhaps. The purpose of an exercise is to validate specific functions.
- BCP exercises answer the question: How can we continue to operate in adverse circumstances?
- IRP exercises answer the question: How are we going to detect, respond to, and recover from an incident?
There may be scenarios that can answer both questions at the same time. For example, if you are dealing with a ransomware scenario, how will the IT department be able to bring encrypted systems back online (BCP) while also making sure to preserve forensic evidence and make sure the ransomware doesn't spread (IRP)?
There may also be scenarios which could only apply to either BCP or IRP. For example, natural disasters (e.g., hurricanes, fires, etc.) would probably be best suited as BCP exercises, whereas something like stolen or exfiltrated documents would be best suited as an IRP exercise.
That's not to say there isn't overlap because one thing can lead to another, especially in cybersecurity. The key is making sure your exercise is effective in verifying the accuracy and effectiveness of your plans. If you can verify both plans at the same time, great. If you would get better results by keeping the exercises separate, do that instead.
Tip: Even if you do exercise both your BCP and IRP at the same time, auditors and examiners may still expect to see separate documentation and lessons learned for each of the plans. Be prepared to explain how both plans were verified as part of the exercise.
Could unplanned events count as an exercise or test?
Yes, it could! Anytime you put part of your plan into action, this could be considered an exercise or test.
Think about documenting anytime you failover a system, restore data from a backup, implement work from home procedures, send a mass employee communication via out-of-band channels, or navigate through a power or network outage. These are all ways you could be verifying your business continuity or incident response plans, even if the "practice" occurred during an actual disruption.
While there is a benefit to conducting additional exercises for targeted types of scenarios, each opportunity you enact your plan is an opportunity to learn and improve.
Additional Resources
If you are looking for scenarios to take your exercises to the next level, check out the following:
- NIST SP800-61 Rev. 2, Computer Security Incident Handling Guide | Appendix A – Incident Handling Scenarios
- FDIC Cyber Challenge: A Community Bank Cyber Exercise
- CISA Cybersecurity Scenarios and Tabletop Exercise Packages (CTEPs)
- ICBA Cyber & Data Security Exercises
If you would like assistance with your BCP and IRP exercises, connect with our Tandem Partners. Our partners have expertise in conducting exercises and can provide an external perspective to help take your plans to the next level. Learn more and find a partner today at Tandem.App/Partner-Program.
For software to help organize and manage your Business Continuity Plan and Incident Response Plan, check out Tandem. With Tandem, you can schedule exercises in advance, use scenarios to conduct the exercise, document follow-up tasks for action items and lessons learned, and use integration to connect the exercise with other elements (e.g., third parties, business processes, etc.).
See how Tandem can help you at Tandem.App.