In This Guide
ISO 22301 Requirements
Clause 8.5 of ISO 22301 requires organizations to exercise and test their business continuity arrangements to ensure they are consistent with business continuity objectives.
The standard requires exercises to:
- Be consistent with the scope and objectives of the BCMS
- Be based on appropriate scenarios
- Validate the effectiveness of BC arrangements
- Produce formalized post-exercise reports
- Be conducted at planned intervals
- Result in improvement actions
Auditors look for evidence of a varied exercise programme that challenges different aspects of your BC capability. Doing the same tabletop exercise every year is insufficient - exercises should progressively test different scenarios, teams, and recovery capabilities.
Exercise Types
| Type | Description | Complexity | Duration |
|---|---|---|---|
| Walk-through | Step through plans with team, identify gaps | Low | 1-2 hours |
| Tabletop | Discussion-based scenario, test decision-making | Low-Medium | 2-4 hours |
| Call Tree | Test notification and communication systems | Low | 1 hour |
| Functional | Test specific capability (e.g., IT failover) | Medium | 4-8 hours |
| Simulation | Realistic scenario with time pressure | Medium-High | Half-full day |
| Full-scale | Actual invocation of plans and procedures | High | 1+ days |
Choosing Exercise Types
Select exercise types based on:
- Maturity: Start simple, progress to complex
- Objectives: What are you trying to validate?
- Resources: Time, people, cost available
- Risk tolerance: Impact if exercise causes disruption
- Previous findings: Focus on areas needing improvement
Exercise Programme Design
A robust exercise programme should:
Cover All Critical Activities
Over a 3-year cycle, ensure all critical activities identified in BIA have been exercised.
Test Different Scenarios
- Loss of site/premises
- Loss of technology
- Loss of key personnel
- Loss of supplier
- Cyber incident
- Pandemic/workforce reduction
Progress in Complexity
| Year | Exercise Focus |
|---|---|
| Year 1 | Walk-throughs, tabletops, call tree tests |
| Year 2 | Functional tests, simulations, integrated exercises |
| Year 3 | Full-scale exercise, unannounced elements |
Exercise Planning
Exercise Brief
Document for each exercise:
- Objectives (specific, measurable)
- Scope (teams, plans, scenarios)
- Scenario description
- Participants and roles
- Date, time, location
- Success criteria
- Safety/real-world rules
Scenario Design
Good scenarios are:
- Realistic: Based on identified risks
- Challenging: Test decision-making under pressure
- Scalable: Can introduce injects to increase complexity
- Safe: Won't cause actual business disruption
Exercise Execution
Roles During Exercise
- Exercise Director: Controls scenario, introduces injects
- Facilitator: Guides discussion (tabletops)
- Observers: Document actions, timing, issues
- Participants: Execute their BC roles
- Safety Officer: Monitor for real emergencies
Documentation During Exercise
- Timeline of events and actions
- Decisions made
- Issues encountered
- Deviations from plans
- Resource utilization
Lessons Learned
Post-Exercise Debrief
Conduct immediately after exercise:
- Hot debrief (same day, capture immediate impressions)
- Cold debrief (within 1 week, considered analysis)
Debrief Questions
- What worked well?
- What didn't work?
- Were objectives met?
- Were plans followed? If not, why?
- What should be changed?
- Were RTOs achievable?
Lessons Learned Register
Track all findings with:
- Finding description
- Root cause
- Recommended action
- Owner
- Target date
- Status
Audit Evidence
Auditors expect to see:
Programme Level
- Exercise programme/schedule
- Coverage matrix (activities vs exercises)
- Year-on-year progression
Per Exercise
- Exercise brief/plan
- Participant list and attendance
- Scenario and injects
- Observation notes
- Post-exercise report
- Lessons learned
- Improvement actions
Follow-up
- Action completion evidence
- Updated plans reflecting lessons
- Re-testing of corrected items
The value of exercises is not in passing them, but in learning from them. Auditors are more concerned about what you learned and improved than whether everything went perfectly.