The organization should regularly, at least once a year, practice potential disruption or attack situations.
The exercise can focus either on developing disturbance detection, response or management, or all of these.
Documentation of the implementation of exercises and observations must be maintained.
The organisation should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.
Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners
In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.