The organisation has to evaluate the impact of business disruptions and risks. Based on this evaluation the organisation must prioritize themes in continuity planning to focus on the important risk related issues.
The organization should regularly and at least annually test and review information security continuity plans to ensure that they are valid and effective in adverse situations.
Stakeholders critical to each plan will be involved in the testing of continuity plans, as appropriate.
In addition, in the event of significant changes in operations, the adequacy of continuity plans and related management mechanisms should be reassessed.