All of the BCP's related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing must be comprehensive enough to cover the major components of the BCP as well as coordination and interfaces among important parties. A testing of particular components of the BCP or a fully integrated testing must be decided depending on the situation. The following points must be included in the annual testing:

(a) Staff evacuation and communication arrangements (e.g. call-out trees) must be validated;
(b) The alternate sites for business and technology recovery must be activated;
(c) Important recovery services provided by vendors or counterparties must form part of the testing scope;
(d) Licensees must consider testing the linkage of their back up IT systems with the primary and back up systems of service providers;
(e) If back up facilities are shared with other parties (e.g. subsidiaries of the licensee), the licensee needs to verify whether all parties can be accommodated concurrently; and
(f) Recovery of vital records must be performed as part of the testing.
January 2014