Tests should be conducted to validate that business continuity recovery strategies will work. Tests should also be conducted to verify that systems and equipment perform as designed. Tests can take several forms, including the following:
Component - Individual hardware or software components or groups of related components that are part of protective systems or critical to the operation of the organization are tested.
System - A complete system test is conducted to evaluate the system’s compliance with specified requirements. A system test should also include an examination of all processes or procedures related to the system being tested.
Comprehensive - All systems and components that support the plan are tested. An example of a comprehensive test is confirming that IT operations can be restored at a backup site in the event of an extended power failure at the primary site.
Tests of information technology systems and recovery strategies should be conducted in a manner that resembles the everyday work environment. If feasible, an actual test of the components or systems used should be employed. Since tests can potentially be disruptive, tests may be performed on systems that mimic the actual operational conditions.
Inspection, testing and maintenance of building protection systems including fire detection, alarm, warning, communication, employee notification, emergency power supplies, life safety, fire suppression, pollution containment and others should be conducted in accordance with manufacturers’ instructions and regulatory requirements. If a critical warning system or protection system fails, the consequences could be significant.
A test schedule should be developed in accordance with applicable regulations, standards and best practices and designed to meet performance objectives. Records should be maintained.
Guidance on evaluating the need for testing; creating a test plan; and designing, developing, conducting and evaluating tests is provided in the Resources for Testing.
Resources for Testing
- Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities - Recommendations of the National Institute of Standards and Technology, Special Publication 800-84
- IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals - Information Systems Audit and Control Association (ISACA)
- Fire Code - National Fire Protection Association (NFPA) 1
- Recommended Practice on Commissioning and Integrated Testing of Fire Protection and Life Safety Systems -NFPA 3
- Standard for the Inspection, Testing, and Maintenance of Water-Based Fire Protection Systems - NFPA 25
- National Fire Alarm and Signaling Code - NFPA 72
- Standard for Emergency and Standby Power Systems - NFPA 110
- Standard on Stored Electrical Energy Emergency and Standby Power Systems - NFPA 111