Testing Your Plans and Getting Prepared



Updated October 9, 2023
Now Available
Security for Everyone

The second common element of both disaster recovery and incident response plans is the need to test that the plans work.

I know that it’s tempting to say “we have incidents all the time so we know what to do,” but in all honesty, just because you have incidents frequently, it doesn’t mean that they are representative of all the events you might need to deal with. There is also the question about who is “handling” your incidents. If you are responding from instinct, experience, or memory, that response is probably different from what is in your plan and may be difficult for someone else on the team to replicate.

important Every plan you create should be tested, at least once a year. It’s as simple as that.

The risks and threats faced by an organization change over time, as do the staff members involved with protecting it. Testing on a regular basis ensures that the plan remains accurate and appropriate. Testing also ensures that all potential response team members are familiar with executing this plan.

The point of the test is to gather together the people and teams who would likely be involved in the response and walk through the plan together. This process allows all these different people to identify gaps or questions that arise from the process. The more they identify, the more you can improve your plan (or associated systems) to make sure that in a real emergency, the plan will be its most effective.

Running a Testing Session

You’ve decided to run your first testing session; fabulous. Here are some things you need to do that will help you get the most out of your session.

  1. Create a list of representatives from key areas in your organization that are likely to be involved in responding to an incident. For example:

    • Customer success (to explain outages to customers)

    • Engineering (to diagnose or fix issues)

    • Operations (to be involved in process alternation or backup systems)

    • Board and executive members (to be briefed)

    • Legal (to assess implications of incidents and advise the board and executive team)

    • Marketing (to engage with the media or create a communications plan)

  2. Schedule a time to meet; this needs to be enough time to get through the plan and allow for people to discuss challenges and ask questions (at least a couple of hours normally).

  3. Choose a testing scenario and make sure everyone has access to the plan you are testing in advance.

  4. Choose a lead for the plan test; this person needs to control the scenario and walk the other participants through the challenge. They should be very familiar with the plan and be able to adapt the scenario if questions arise.

  5. Choose someone to take notes, as you will need these to identify issues or updates that need to be made.

  6. Run the testing session; you will probably need a whiteboard, pens, and a private space.

  7. Record any outcomes or issues that need to be addressed and assigned to teams.

  8. Ensure all issues are addressed within 30 days of the testing session.

If you found this post worthwhile, please share!