I have recently joined a company as Information Security Officer and I am curretly implementing ISO 27001. I am about to finish it in a months time. Before I was with them they have implemented BCP DR project and all the documents and implementation is done. Now its the time to test what has been implemented. I have a very less exp. in ISO 22301 and don't know where to start for the testing and drills? How to make the test plans, what to test first and what to test at the end. How to approach the stakeholder and how actually should I test the BCP DR project which has been implemented and the worst part is I was not part of it. I am just going through these documents and understanding what has been done by the consultant.
Please guide me what to do in this situation. Pleas note that scope of this project was the entire organization .
Answer: Fortunately, you have many approaches you can consider for performing BCP tests, which varies considering effort, resource allocation, and required confidence on tests results:
Desk check – checking the plans by means of auditing, validation, and verification techniques
Plan walk-through – checking the plans by means of team interaction
Functional testing – testing all interrelated plans for selected activities (including supplier procedures) with real resources in a controlled (announced) exercise.
Full testing – all activities are relocated from the original site to the alternative site (announced or unannounced)
Since you are doing this for the first time, I suggest you to start with Desk check and prepare a plan defining when other tests can be performed. This way you can ensure a gradual increase in tests effort, while all people involved will gain confidence in the plan and in their skills to perform it, and at the same time you can provide the required corrective and preventive actions.