The internal audit function of a licensee or its external auditor must conduct periodic reviews of the BCP to determine whether the plan remains realistic and relevant, and whether it adheres to the policies and standards of the licensee. This review must include assessing:

(a) The adequacy of business process identification;
(b) Threat scenario development;
(c) Business impact analysis and risk assessments;
(d) The written plan;
(e) Testing scenarios and schedules; and
(f) Communication of test results and recommendations to the Board.
January 2014