Exercise Programme for ISO 22301 Business Continuity
ISO 22301 Clause 8.5
This sub-clause requires a programme of exercising and testing to validate the effectiveness of the business continuity strategies, solutions, plans and procedures over time.
ISO 22301 Clause 8.5 - Exercise Programme
Clause 8.5 is the clause that distinguishes the BCMS that is alive from the BCMS that is on the shelf. A documented plan that has never been exercised is a hypothesis, not a capability. The exercise programme is what turns the hypothesis into something demonstrably workable - or, equally usefully, into something that has been shown to need fixing.
What ISO 22301 Clause 8.5 Requires
The clause requires the organisation to implement and maintain an exercise and testing programme. Exercises and tests must be consistent with the business continuity objectives, based on appropriate scenarios that are well planned and clearly defined, develop teamwork, competence, confidence and knowledge in the people with response roles, validate the strategies and solutions over time, produce formalised post-exercise reports with outcomes, actions and recommendations, be reviewed in the context of continual improvement, and take place at planned intervals and when significant changes occur.
The clause also requires the organisation to act on the results of exercising and testing to implement changes and improvements. Exercising without follow-through is not what the standard is asking for.
Designing an Exercise Programme
Exercises range from low-cost, low-disruption desktop walkthroughs to live full-scale tests. A typical programme uses different exercise types to test different parts of the BCMS over time. Tabletop exercises validate decision-making and plan content. Walkthroughs test the steps of specific procedures. Communications tests verify that the warning and communication arrangements work. Live exercises test the actual capability - failover of a system, occupation of an alternative site, mobilisation of staff. The combination over a year or two should validate every significant element of the BCMS.
The post-exercise report is what gives 8.5 its teeth. Each exercise should produce a documented record of what was done, what worked, what did not, what actions are needed and who owns them. Those actions feed into the issues and actions register and ultimately into the next round of plan and register updates.
Once the BC plan is in place, write a procedure that explains how exercises will be planned, run and reported. The actual test record - what scenario, who took part, what was tested, what was learned, what is being changed - is captured for each exercise. Over a couple of years the test record builds into a powerful body of evidence.
I want to see evidence of exercising at the audit. That means the exercise programme, the post-exercise reports and evidence that issues raised in those reports have been actioned. A BCMS where the plan was exercised once at certification and never again is not maintaining capability over time, regardless of what the plan looks like on paper.
Practical Compliance Guidance
The F-Q93 Continuity Test Record provides a structured template for documenting each exercise - scenario, participants, observations, findings, actions and outcome. The exercise programme itself can be summarised on the F-IMS21 Business Continuity Register or in the PP-1-05 Business Continuity Policy.
The documents below support the exercise and testing programme for an ISO 22301 BCMS.
| alphaZ document | How to use it |
|---|---|
| ISO 22301 Toolkit | The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard. |
| F-Q93 Continuity Test Record | The template for recording each exercise - scenario, participants, observations, findings, actions and outcome. |
| F-Q94 Business Continuity Plan | The plan that is exercised and from which exercise scenarios are derived. |
| PP-1-05 Business Continuity Policy | The policy procedure that sets out the framework for the exercise programme. |
| F-IMS21 Business Continuity Register | The register that summarises planned monitoring and testing alongside other BCMS arrangements. |
Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.
