CIR Testing and Exercising
Scheduling
The scheduling of the test or exercise has to consider the constraints of test design (Goh, 2006) to ensure that every employee within the organisation is aware and trained to execute the appropriate procedures as documented in the CIR plan without disrupting normal operations.
Here are some factors of consideration when designing a schedule:
- Time/Date;
- Duration;
- Frequency;
- Test/Exercise Scenarios;
- Budget for preparation of resources;
- Notification of Alerts; and
- Briefing.
Within the CIR plan, there are many components. It is advised that organisations take a systematic approach to testing rather than the regular approach. This means that the scope of the tests should be scheduled to progress from component to the component instead of following the calendar. Developing an annual schedule that involves the entire organisation, which will test the complete capability of the CIR plan progressively and cumulatively, should be the sought-after approach.
Here are some guidelines for designing an annual test schedule:
- Test the most critical components of the CIR plan more frequently. Rotate employees, if necessary, to widen experience and preparedness;
- Test business unit level procedures within the plan, as employees have a huge role in managing cyber security incidents, with additional checks by the business unit coordinator to ensure everyone knows what to do;
- Take variations in the business cycle into consideration and vary the testing pattern and scenarios accordingly;
- Ensure that new procedures due to changes within the organisation are documented and tested;
- Record and keep track of all tests conducted so the extent of tested capability is known and gaps that require improvements are identified; and
- Make adjustments or improvements or streamline processes to ensure the organisation is constantly secured from the influence of cybercriminals.
Related Topics for CIR Testing and Exercising
Overview of Testing and Exercising | Test Design | Types of Tests |
Scheduling | 9.7 Baseline for Success Criteria | Back To: Table of Content |
Do You Want to Continue BCM Training onsite or online?
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 9 Testing and Exercising 9.6 Scheduling
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.