ID.IM-02.181
Does your organization have a formal process to identify and implement improvements to business continuity, disaster recovery, and incident response plans based on exercises conducted with critical service providers and suppliers?
Explanation
This question assesses whether your organization systematically learns from business continuity exercises and tests that involve key third parties, and then applies those lessons to strengthen resilience planning. Organizations should conduct joint exercises with critical vendors and suppliers, document findings, and implement identified improvements to ensure coordinated response capabilities during actual disruptions. Evidence could include: post-exercise reports with documented improvement recommendations, meeting minutes from debriefing sessions with third parties, updated business continuity or disaster recovery plans showing changes implemented based on exercise findings, or a formal improvement tracking system that monitors the implementation status of lessons learned from joint exercises.
Implementation Example
Identify improvements for future business continuity, disaster recovery, and incident response activities based on exercises performed in coordination with critical service providers and product suppliers
ID: ID.IM-02.181
Context
- Function
- ID: IDENTIFY
- Category
- ID.IM: Improvement
- Sub-Category
- Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
