The organization shall update the response and recovery plans to address changes in its
context.
Guidance
The organization’s context relates to the organizational structure, its critical systems, attack vectors, new threats, improved technology, environment of operation, problems encountered during plan implementation/execution/testing and lessons learned.
The organization should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.
Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners.
In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.
The organization must test and update its response to the security breach at scheduled intervals or after significant changes. For critical parts of the organization, operational plans should be tested at least annually. Test results should be documented and communicated to improve the plan.
The organization regularly develops its continuity plans by analyzing the testing of the plans, training and their actual use in real situations.