What is the MINIMUM standard for testing a disaster recovery plan (DRP)?
What is the MINIMUM standard for testing a disaster recovery plan (DRP)?
The minimum standard for testing a disaster recovery plan (DRP) is as often as necessary depending upon the stability of the environment and business requirements. The frequency at which a DRP should be tested can vary based on the specific needs and risk profile of the organization. Regular testing ensures that the plan remains effective and any changes in the environment or operations are adequately reflected. Therefore, testing should be performed routinely and adjusted according to the organization's stability and requirements.
The tricky GOTCHA point here to notice is the "or less frequently" part of C. Regulation requires NO MORE THAN 12 months (1 year) so C can't be correct. D is the BEST (and most annoying CISSP style) answer
In the Book, the following is written:"The plan must be tested periodically to determine whether the plan to restore is actually operational, and personnel should be trained to take the actions required. Although dependent on the industry and regulatory requirements, testing should be performed no less than annually"
D is correct
According to the CISSP Common Body of Knowledge (CBK), there is no specific minimum frequency stipulated for testing a disaster recovery plan (DRP). However, it is recommended that DRPs should be tested regularly to ensure that they are effective and up-to-date. The frequency of testing should be based on the organization's business requirements, the stability of the environment, and the advice of the information security manager. There are several industry standards and regulations that provide guidance on DRP testing frequency. For example, the National Institute of Standards and Technology (NIST) recommends that DRPs should be tested at least annually. The Payment Card Industry Data Security Standard (PCI DSS) requires annual testing of DRPs as well. However, these are only recommendations and actual testing frequency may vary depending on the organization's needs and risk appetite. Therefore, the answer is "B".
DRP tests are driving by changes (IT or business).
NIST SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems: "The frequency of testing should be determined by the criticality and volatility of the system, and the DR plan should be updated as necessary to reflect changes in the system and its environment." DRI International Professional Practices for Business Continuity Management: "The frequency of testing should be determined by the criticality of the process, the complexity of the recovery, and the frequency of change to the process or supporting technology. The frequency of testing should be sufficient to ensure that the plan remains effective and relevant in addressing potential disasters."
DRP Testing should follow a policy that meets the business requirement.
Depends on your environment
Correct answer B: Audit requirements and fiscal alignment don't drive DR testing. Business requirements do (as long as it meets at least once a year). In many aspects of CISSP (Risk, BCP, DR etc etc), business requirements drive the decisions.
ISC^2 is looking for Annually, regardless of what a "good" policy may be.
Everything in CISSP land goes back to risk tolerance and risk management. So everything is relative to risk and there is no static minimum or maximum answer for a question like this.
Business requirements
Looking at the question, the main crux is asking, the MINIMUM based on the below. C is out at per the word "or less" than per annum as this is against CISSP recoomendation. The rest are all higher than D, so choose the minimum frequency answer along with the best answer.
Business requirements
DRP tests are driving by changes.
I am thinking B. "While there is no one standard for how often you should test your DRP and BCP, you should generally conduct functional disaster recovery testing at least once per year." https://www.eccouncil.org/cybersecurity-exchange/disaster-recovery/test-disaster-recovery-plan/#:~:text=While%20there%20is%20no%20one,at%20least%20once%20per%20year. C says annually or less frequently, but that "less frequently" is wrong.
B is correct you do DRP whenever is required. not sure why folks answering C &D :)
B: As often as necessary depending upon the stability of the environment and business requirements
Should be C. It mentions "MINIMUM". Reference : https://www.skillset.com/questions/how-often-must-disaster-recovery-drills-be-performed-12320