How do you know that the team has mastered the business continuity or incident management plan?

Where the team knows how to react in the event of an incident.

It’s easy! Let’s do a test.

Practice – Photo by Niklas Tidbury on Unsplash

Several types of test

There are several types of test, each with specific objectives or methods, here are the main ones:

Table Top Test

This is a structured discussion exercise (Workshop), often in the form of a meeting, where participants go through a specific crisis scenario to evaluate response plans and procedures. This type of test helps to identify gaps in plans, and to improve understanding of the roles of each stakeholder and their responsibilities in the event of a crisis.

Parallel test

In a parallel test, actual operations continue as normal, while continuity teams simultaneously run all or some business functions from a recovery site or using backup systems. This validates the ability to operate away from the main site without interrupting day-to-day operations.

Simulation test

A simulation test is more complex and involves creating a realistic operational environment where teams can test their reactions to simulated scenarios. This type of test can include simulated service interruptions, system failures, or emergency situations requiring a rapid response. It is designed to test not only written plans, but also the practical capabilities of staff. For example, checking that interdepartmental communications are working, and that an incident will be managed despite silos that may have been created within the organization.

Complete recovery test

This test involves a complete switchover of operations to a recovery site, requiring the shutdown of functions at the main site. This is the most rigorous and costly test, as it simulates a major interruption where the main site is no longer operational. This test verifies the company’s ability to recover and maintain critical functions at a new site for an extended period.

Component testing

This involves testing individual components of a continuity plan, such as telecommunications systems, specific software or critical processes. This type of testing is useful for ensuring that the most critical aspects of infrastructure and applications can be recovered in isolation.

Step-by-step procedure test

A “walkthrough” is an exercise where the continuity team goes through each step of the plan sequentially, often physically on site. This helps to ensure that all personnel understand their role, and that the necessary resources are in place and functioning.

Load test

I include this type of test here since load testing can be used as part of continuity testing to ensure that IT systems can handle the expected volume of transactions or workloads in the event of failover to backup systems.

These tests vary in complexity and cost, and each organization must choose the type of test best suited to its precise or specific needs, taking into account its operating environment, risk tolerance and strategic objectives. For example, you don’t run a simulation test to check whether you can reassemble a firewall or a server; it’s better to run them in parallel.

Preparation steps

1- Define the high-level objective to confirm what we want to achieve.

Here are a few examples of classic objectives, why we test our ability to respond:

Validation of response plans: These exercises verify the relevance and effectiveness of crisis response plans. Participants review and discuss the steps specified in the plans to ensure that they are feasible and effective.

Validation of internal and external communication: They test the organization’s communication mechanisms. This includes clarity of roles and responsibilities, as well as the ability to communicate effectively with external parties such as the media, the public and government agencies.

Validation of decision-making skills: By placing decision-makers in a simulated high-pressure environment, these exercises test the speed and effectiveness of decision-making in the face of limited or changing information.

2- Choose a scenario that is realistic and relevant to the organization.

Here are a few examples of the scenarios I use in my work:

Scenario 1: Cloud service provider suffers a major outage affecting several of its services, including those used by your organization. Applications and data have been unavailable for 3 hours.

Scenario 2: A security breach at the cloud service provider gives unauthorized third parties access to your company’s data, including sensitive customer information.

Scenario 3: Network performance problems lead to high latency and long response times for users.

**Scenario 4: **Your cloud service management credentials are compromised or lost, preventing you from accessing critical configurations and managing your account.

Scenario 5: A new regulation is introduced, requiring immediate changes to the way data is stored and processed on your servers.

Scenario 6: A Denial of Service attack hits your infrastructure and website, rendering them non-functional.

3- Involve participants

Involve participants and inform them of their roles and expectations during the exercise. They should also have a basic understanding of the scenario before starting the exercise.

Participants should be anyone with a role in incident management.

Here is a list of key roles to include in this exercise:

**Information Security Manager **to lead the exercise and ensure that all security policies and procedures are up to date and adhered to.

IT infrastructure managers who manage the infrastructure underpinning the organization’s services, and can provide technical expertise on resource management during the attack.

The Incident Response Team is on the front line in identifying, assessing and responding to the incident. They will play an active role in the exercise, implementing planned responses.

Software developers help to understand how applications can be affected and what preventive measures can be coded.

Customer support and communications management to manage communications with customers, they need to know what to say and when, to maintain customer confidence and minimize the impact on customer satisfaction.

Executive management may not be involved in the technical details, but must understand the impact of the incident on the business and make strategic decisions.

**External partners **if you depend on external suppliers for traffic management, network security or other critical services.

Legal and compliance representatives– To ensure that all responses remain within the legal framework and comply with industry regulations.

**Business continuity management **to maintain operations during crises is essential for testing and refining business continuity plans.

4- Performing the exercise

The exercise should be conducted in a structured way, with an experienced facilitator (ideally) guiding the discussion and ensuring that all aspects of the scenario are covered.

The manager should launch the scenario and guide participants through various events and complications to observe and note how the team reacts, what decisions are made, and how communications are handled.

For the scenario of a denial-of-service attack, you could start by saying:

Thursday 3:30 pm – Paul in customer service finds the network particularly slow for website management.

Thursday 4:45pm – Véronique is unable to connect to the website, and opens a ticket requesting assistance.

What happens next?

5- Summarize and document the exercise

At the end of the exercise, it’s important to allow each participant to share their perspectives and reactions. Discuss obstacles and successes.

Analyze performance against objectives. Identify gaps in plans and procedures.

Write a detailed report summarizing the results of the exercise, including lessons learned, recommendations for improvement, and an action plan for next steps.

For example, in the case of a DDoS attack, here are some questions that can help guide the discussion and assess your team’s preparedness:

Detection phase

  • How did you detect the DDoS attack?
  • Which Key Performance Indicators (KPIs) reported an anomaly?
  • Which tools or monitoring systems first alerted the team?
  • How do you distinguish between a legitimate traffic spike and a DDoS attack?
  • What internal communication protocols are in place for early warning?

Analysis phase

  • What type of DDoS is it (for example, volumetric, protocol, or application attack)?
  • Which resources are most affected by this attack?
  • Do you have the technical skills in-house to analyze the attack, or do you need to call in external experts?
  • What additional information do you need to collect to fully assess the impact?

Response phase

  • What are the first immediate steps to take once an attack has been confirmed?
  • How do you manage traffic redirection and filtering?
  • Do you have a specific emergency response plan for DDoS attacks?
  • How do you involve your Internet Service Provider (ISP) or other third-party partners?
  • What mitigation measures can you apply in the short term?

Recovery phase

  • What processes do you have in place to return to a normal operating state?
  • How do you check that the system is secure and fully operational after an attack?
  • What post-incident checks and audits should be carried out?

Communication

  • Who is responsible for communicating with customers, and how is this communication managed?
  • What message is sent to customers and partners?
  • How do you ensure transparency while maintaining customer confidence?

Post-incident review

  • How do you document the incident and the measures taken in response?
  • What is the process for analyzing what went right and what went wrong?
  • What lessons have you learned and how will they affect future response plans?
  • Do you have any training or policy revisions planned following this incident?

Future planning

  • How does this scenario influence your long-term security strategies?
  • Have you considered investing in additional technologies or services to better protect yourself against future attacks?
  • What structural or technological changes are needed to improve the resilience of your infrastructure?

When

Another important question to consider is the desired frequency of exercises or tests.

Should they be conducted annually or more frequently to maintain vigilance among your employees?

Unfortunately, the answer depends very much on the nature of the organization and its risks, whether it has a high turnover rate or simply whether the procedures are not well understood by all those involved. Each exercise allows for improvements, so carrying out several exercises during the year or over 2 years helps to achieve a sufficient level of confidence.

A few pitfalls to avoid

A scenario too far removed from what the organization might actually experience risks not being taken seriously by the participants, reducing the effectiveness of the exercise.

Also, an overly complex scenario can overwhelm participants, preventing them from concentrating on the main objectives of the exercise.

One of the key objectives of these exercises is to learn and improve. The absence of structured, constructive feedback after the exercise is a missed opportunity.

If participants don’t take the exercise seriously or aren’t fully committed, the results won’t be representative of reality.

Don’t be afraid to fail; testing is an opportunity to learn and improve.

What about ISO27001:2022?

Several ISO27001:2022 controls specifically address business continuity and incident management testing:

  • 5.24 – Preparing for information security incidents
  • 5.29 – Information security during an incident
  • 5.30 – Preparing ICT for business continuity.
  • 8.13 – Saving information
  • 8.13 – Redundancy of information systems

Some of the standards governing information continuity

ISO 22301:2019– Business continuity management

This international standard specifies the requirements for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system to protect against, reduce the likelihood of, prepare for, respond to and recover from disruptive incidents when they occur.

ISO/IEC 27031:2011– Information technology – Security techniques – Guidelines for continuity of ICT services

This standard provides a framework for information and communication technologies (ICT) in support of business continuity.

DRI International (Disaster Recovery Institute)

DRI International offers certifications and training based on proven practices for business continuity and disaster recovery professionals.

I invite you to click on “Follow” to continue learning more about the field of information security.