Drawing on the information in the sources and our conversation history, beyond a full active

site switch-off (failover), there are several other types of reviews and testing exercises
specifically related to a disaster recovery plan and overall business continuity readiness.

Here are details of these activities and what happens during them:

1.

Business Impact Analysis (BIA)1...:

Details: This is a crucial process that identifies critical business functions3... and
understands the potential impact of disruptions to those functions2.... It helps prioritise
protection efforts and is an input for risk assessment and strategy development2.... The BIA
helps determine Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for
critical processes and systems3. It also identifies the interdependencies between business
operations and critical resources2. The process often involves mapping business units and
their critical functions to the underlying risk structure5....

What happens: Critical business processes are identified and analysed to determine how
disruptions would affect the organisation3.... The analysis considers the potential impact
(e.g., financial loss, regulatory fines, reputational damage)3... and helps set recovery
priorities and timelines3....

2.

Disaster Recovery (DR) Plan and Business Continuity (BC) Plan

Details: The DR plan itself is a key component of readiness for disruptive events1.... Regular
review and updates are necessary to ensure the plan remains relevant and effective given
changes in the business environment, technology, risks, and regulations9. Policies and
procedures supporting the plan also need review9.... Documentation review is part of
this4....

What happens: Key stakeholders review the existing DR/BC documentation4... to ensure it
accurately reflects the current state of the business, IT systems, contacts, and recovery
procedures9. Outdated procedures, contact information, or system configurations are
identified and updated9. Management, often through a steering committee, may review the
plan's objectives and strategy alignment8....

3.

Risk Assessment and Scenario Analysis3...:

What happens: Potential threats and vulnerabilities that could lead to a disaster are
identified and analysed14.... Risk scenarios (e.g., major hardware failure combined with a
failed DR plan17) are developed and discussed15.... This analysis helps inform and refine the
DR plan by highlighting specific risks the plan must address and their potential impact3. This
can involve collaborative workshops with stakeholders16....

4.

Training and Awareness Exercises1...:

Details: Effective security awareness training is a key component of the overall security
strategy11... and necessary for risk management21. It ensures staff understand their roles
and responsibilities during disruptive events9....

What happens: Personnel who would be involved in executing the DR plan receive training
on their specific tasks, procedures, and communication protocols1.... Exercises may simulate
aspects of a disaster to test staff knowledge and reaction, such as practicing emergency
communication or understanding evacuation procedures11....

5.

Tabletop Exercises [Implied by 26, 44, 45, 47, 63, 68, 97, 98, 107]:

Details: Although the specific term "tabletop exercise" is not explicitly used in the provided
sources, the description of scenario building15..., involving stakeholders16..., testing
communication1> <9112122, and discussing potential impacts17, aligns with this type of
exercise. It is a discussion-based session where key personnel review and discuss their roles
and responsibilities in response to a specific disaster scenario.

What happens: Participants walk through a disaster scenario (e.g., building unavailability,
system outage)17 and discuss how they would respond according to the DR plan. The
exercise focuses on evaluating the plan's effectiveness, identifying gaps, clarifying roles, and
testing decision-making processes and communication flows1.... No actual systems are
impacted.

6.

Walkthroughs:
Details: This involves key personnel walking step-by-step through the processes and
procedures documented in the DR plan. It's more detailed than a tabletop but less involved
than a functional exercise. (Implied by the need for documented procedures23 and role
clarification1...).

What happens: Teams physically or mentally trace the steps required for recovery,
ensuring they understand where resources are located, how to access documentation, and
the sequence of actions. It helps validate that the documented procedures are logical and
comprehensive, and that personnel are familiar with them23.

7.

Functional or Component Testing: [Implied by 97, 98]

Details: These exercises test specific components or functions of the DR plan in a simulated
or isolated environment. They are more hands-on than tabletops or walkthroughs but do not
involve a full failover.

What happens: Specific elements like restoring backups24, testing redundant systems
(without switching the primary site off)24, validating recovery scripts, or testing emergency
communication systems may be exercised individually or in combination9.... This confirms
that critical recovery mechanisms function as expected.

8.

Communication Plan Testing:1...

Details: Communication during a disaster is critical1.... Testing ensures that contact lists are
current and that communication methods (e.g., out-of-band communication channels)
work1....

What happens: Designated personnel practice notifying key stakeholders (internal teams,
management, external parties) using established communication protocols and tools1....
This verifies the accuracy of contact information and the reliability of the communication
methods under simulated stress.

These activities, excluding a full site switch-off, are essential for maintaining the readiness
and effectiveness of the disaster recovery plan and contributing to the overall resilience of
the enterprise9.... They are informed by risk management3... and supported by the
information security strategy and program development9....