Business Continuity Plan Testing Exercise

1 - Can we include Risk assessment and BIA in the test exercise and ask questions on that? or in other words should we do both analyses during this testing exercise?

Please note that the purpose of a BC Plan tabletop exercise is to assess the effectiveness of the devised plan (e.g., if people know what to do, if all required activities are included and well described, etc.), not to evaluate it against BIA and risks, so both analyses should not be performed together (this would only make the test unnecessarily complex).

Considering that, the best course of action would be to ask for the information about BIA and risk assessment, and evaluate the BC Plan before the test, and if this information is not available you could explain that without a clear understanding of business impacts and associated risks, even though the BC Plan test is considered successful, it may not be fully aligned with the relevant impacts and risks related to the considered scenario.

For further information about BC Plan tests, see:

• How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

2 - Secondly, what are the most relevant questions we should be asking?

A tabletop exercise means testing a plan by means of team interaction, so examples of relevant questions to be asked to people involved in the BC Plan would be related to:

• the sequence of activities to be performed by each person in case of a Data Centre Power Outage
• the means of communication to be used, who to communicate to, and what to communicate
• the knowledge of each person about the activities other members will be performing

Based on these questions, and the speed and confidence of response, you can evaluate if the involved personnel are familiar with the plan and can perform it in a satisfactory way.