[ISACA] [BCM] [A] [C3] Auditing Testing and Exercising Programmes

Chapter 3

Auditing, Testing, and Exercising Programmes

Intoduction

One of the most common weaknesses identified during Business Continuity Management (BCM) audits is the assumption that the existence of plans equates to preparedness.

Organisations may invest significant effort in developing Business Continuity Plans, Crisis Management Plans, Disaster Recovery Plans, and Emergency Response Procedures; however, without effective testing and exercising, there is no assurance that these plans will function as intended during an actual disruption.

Testing and exercising represent the validation phase of the BCM lifecycle.

They provide organisations with the opportunity to assess preparedness, evaluate recovery capabilities, identify weaknesses, verify assumptions, and improve resilience before a real crisis occurs.

From an auditor's perspective, testing and exercising activities provide the strongest evidence of BCM effectiveness. Unlike policies and plans, which demonstrate intent, exercises demonstrate capability.

This chapter provides auditors with a structured framework for evaluating BCM testing and exercising programmes, aligned with ISO 22301:2019, Bank Negara Malaysia (BNM) BCM requirements, BNM Risk Management in Technology (RMiT), and Operational Resilience expectations.

Why Testing and Exercising Matter

The ultimate objective of BCM is not to produce documentation but to ensure that critical business functions and services can continue or recover during disruption.

Testing and exercising help organisations answer critical questions:

• Can recovery objectives be achieved?
• Do personnel understand their roles?
• Are recovery procedures practical?
• Are recovery resources available?
• Will communication channels function effectively?
• Are technology recovery arrangements capable of supporting business operations?

Without exercising, organisations operate based on assumptions rather than evidence.

The Difference Between Testing and Exercising

Although often used interchangeably, testing and exercising serve different purposes.

Testing

Testing focuses on validating specific components of continuity arrangements.

Examples:

• Call tree testing
• Backup restoration testing
• System failover testing
• Emergency notification testing
• Data recovery testing

Exercising

Exercising evaluates the coordinated response of people, processes, and technology.

Examples:

• Tabletop exercises
• Simulation exercises
• Crisis management exercises
• Integrated recovery exercises
• Live exercises

Auditor's Perspective

The key audit question is:

Has management demonstrated that continuity arrangements can support recovery requirements?

Regulatory and Standards Requirements

ISO 22301:2019 Requirements

Clause 8.5 – Exercise Programme

ISO 22301 requires organisations to:

• Establish an exercise programme
• Validate continuity strategies and solutions
• Verify continuity procedures
• Evaluate competencies
• Identify improvement opportunities

Exercises must be planned, conducted, reviewed, and documented.

Bank Negara Malaysia Expectations

BNM expects regulated entities to:

• Conduct regular BCM exercises
• Validate recovery capabilities
• Test technology recovery arrangements
• Verify alternate site readiness
• Assess crisis management effectiveness
• Address deficiencies identified during exercises

Auditors should evaluate whether exercises satisfy regulatory expectations and provide meaningful assurance.

BCM Exercise Maturity Model

Auditors should recognise that organisations progress through different levels of exercise maturity.

The audit objective is to determine whether the exercise programme is sufficiently mature for the organisation's risk profile.

Types of BCM Tests and Exercises

3.5.1 Call Tree Testing

Purpose

Validate communication procedures and contact information.

Audit Focus

Review:

• Notification procedures
• Escalation mechanisms
• Contact accuracy
• Response tracking

Audit Questions

• How long does the notification take?
• Were all personnel contacted successfully?
• Are contact lists current?

Common Findings

• Outdated contact information
• Delayed response times
• Incomplete escalation procedures

3.5.2 Walkthrough Exercises

Purpose

Validate understanding of recovery procedures.

Participants review plans and discuss actions.

Audit Focus

Assess:

• Familiarity with plans
• Recovery process understanding
• Coordination effectiveness

Audit Questions

• Can participants explain their responsibilities?
• Are recovery procedures understood?

Common Findings

• Inconsistent interpretation of procedures
• Unclear responsibilities
• Missing recovery actions

3.5.3 Tabletop Exercises

Purpose

Validate decision-making and coordination.

Participants discuss their response to a simulated scenario.

Audit Focus

Review:

• Decision-making processes
• Crisis management effectiveness
• Escalation procedures
• Communication protocols

Common Findings

• Delayed decision-making
• Poor communication coordination
• Unclear authority structures

3.5.4 Simulation Exercises

Purpose

Replicate realistic disruption scenarios.

Examples:

• Cyberattack
• Data centre outage
• Pandemic event
• Supply chain disruption

Audit Focus

Assess:

• Recovery capability
• Cross-functional coordination
• Recovery objective achievement

Common Findings

• Recovery objectives not achieved
• Resource constraints
• Technology dependencies overlooked

3.5.5 Technical Recovery Testing

Purpose

Validate disaster recovery capabilities.

Examples:

• Server recovery
• Application recovery
• Database restoration
• Cloud failover

Audit Focus

Review:

• Recovery performance
• Data integrity
• System functionality
• Recovery timing

Audit Questions

• Were RTOs achieved?
• Were RPOs achieved?
• Was the data restored successfully?

Common Findings

• Recovery times exceed targets
• Incomplete restoration
• Undocumented recovery procedures

3.5.6 Integrated Recovery Exercises

Purpose

Validate end-to-end organisational recovery.

Includes:

• Crisis Management Team
• Business units
• Technology teams
• Third parties

Audit Focus

Evaluate:

• Enterprise-wide coordination
• Recovery effectiveness
• Service restoration capability

Why Auditors Prefer These Exercises

Integrated exercises provide the strongest evidence that the organisation can recover from a disruption.

Auditing the Exercise Programme

Governance Review

Auditors should evaluate:

• Exercise policy
• Exercise schedule
• Exercise ownership
• Executive participation
• Reporting mechanisms

Audit Questions

• Is there an approved exercise programme?
• Are exercises conducted according to the schedule?
• Is management actively involved?

Exercise Coverage Review

Assess whether exercises cover:

Critical Business Functions

Are all critical functions exercised?

Critical Business Services

Are customer-facing services tested?

Technology Recovery

Are critical systems included?

Third Parties

Are key suppliers involved?

Crisis Management

Has leadership been tested?

Exercise Frequency Review

Examples:

Auditors should assess whether frequency aligns with organisational risk.

Evaluating Exercise Effectiveness

Merely conducting an exercise is insufficient.

Auditors should evaluate:

Objectives

Were exercise objectives clearly defined?

Realism

Was the scenario realistic?

Participation

Were appropriate stakeholders involved?

Performance

Were recovery objectives achieved?

Learning Outcomes

Were weaknesses identified?

Improvement Actions

Were corrective actions implemented?

Auditing Exercise Evidence

Auditors should collect evidence, including:

Exercise Plans

• Objectives
• Scope
• Participants
• Success criteria

Exercise Reports

• Results
• Findings
• Lessons learned

Attendance Records

• Participant involvement
• Executive participation

Corrective Action Logs

• Identified issues
• Action owners
• Completion status

Recovery Metrics

• Actual recovery times
• Service restoration results

Common Audit Findings

Finding 1: Exercise Programme Focuses on Compliance

Exercises are conducted solely to satisfy audit requirements rather than to validate recovery capabilities.

Risk

False confidence in organisational preparedness.

Finding 2: Limited Executive Participation

Senior management does not participate in crisis exercises.

Risk

Leadership may be unprepared during actual disruptions.

Finding 3: Repetitive Scenarios

The same scenarios are repeated annually.

Risk

Emerging threats remain untested.

Finding 4: No Validation of Recovery Objectives

Recovery times are assumed rather than measured.

Risk

RTOs may be unachievable.

Finding 5: Corrective Actions Not Implemented

Exercise findings remain unresolved.

Risk

Known weaknesses persist.

Operational Resilience Scenario Testing

The emergence of Operational Resilience introduces a new dimension to BCM auditing.

Traditional BCM exercises focus on plan validation.

Operational Resilience scenario testing focuses on:

• Critical Business Services
• Customer outcomes
• Impact tolerances
• Dependency failures
• Severe but plausible scenarios

Auditor Review Areas

Critical Business Services

Have all services been tested?

Dependency Mapping

Have critical dependencies been challenged?

Impact Tolerance

Were tolerance levels exceeded?

Severe but Plausible Scenarios

Examples:

• Simultaneous cyberattack and data centre failure
• Cloud service provider outage
• Third-party service disruption
• Nation-state cyberattack
• AI platform failure

Audit Metrics for Testing and Exercising

Auditors should evaluate performance indicators such as:

Exercise Completion Rate

Target: 100%

Recovery Objective Achievement

Percentage of exercises meeting RTO/RPO targets.

Corrective Action Closure Rate

Target: Greater than 90%

Executive Participation Rate

Target: 100% for major exercises.

Scenario Coverage

Coverage of key risks and critical services.

Testing and exercising programmes provide the most reliable evidence of BCM effectiveness. While policies, strategies, and plans establish the framework for continuity, exercises demonstrate whether recovery capabilities can be executed successfully under realistic conditions.

Auditors must therefore move beyond simply verifying that exercises occur and instead evaluate the quality, realism, effectiveness, and outcomes of testing activities.

Particular attention should be given to recovery performance, leadership involvement, corrective action management, and alignment with organisational risks.

In today's environment of increasing digital dependence, cyber threats, and operational complexity, effective testing and exercising are no longer optional.

They are essential mechanisms for validating resilience capabilities and providing assurance that organisations can continue delivering critical products and services when disruption occurs.

The fundamental audit question remains:

"Has the organisation demonstrated its ability to recover, or has it merely rehearsed the existence of its plans?"

More Information About Auditing BCMS Courses

BCM Institute offers two levels of BCM auditing courses: A-3 BCM-8030 ISO22301 BCMS Auditor [A-3] and the ISO22301 BCMS Lead Auditor [A-5].