What do Business Continuity Test/Exercise, Disaster Recovery Test/Exercise and Cyber Security Event Test/Exercise have in common? The most important thing is that all three are validating the organizations’ response capability.

Many companies plan and conduct each of the tests separately in a “vacuum.” This not only involves spending duplicate monies to reserve a test site if a commercial site is used, but often involves some of the same people. Often they can save time and resources by conducting joint tests/exercises.

Another reason that I promote having joint tests/exercises is to fully understand the organizations’ response and recovery capabilities in a real disaster.

While testing/exercising Disaster Recovery alone helps to determine if the organization can bring up all of the applications and systems in another location, and if they can meet the Recovery Time Objective, it does not take into account the time spent answering user questions and issues. Yes, I understand that samples of users are usually brought in to “test” that they can access their applications, and that the data is correct, but it is still a controlled environment.

By the same token, Business Continuity tests/exercises affirm that the business areas can use their plans, and that their recovery plans work in getting them set up at another location, manual procedures work, communication with stakeholders and so on are all actionable. However, it does not help them learn how to communicate with Disaster Recovery Teams in a real situation.

Testing Cyber Security Incident Response is often in a controlled environment using simulation to test the organizations ability to detect, analyze, contain, eradicate, recover, and post incident activity.

No surprises occur when you test in silos. However, when tested jointly, the scenarios become interesting because each area creates its own scenarios that are not suddenly shared.


  • User has the plan on a thumb drive used at home, and it has a virus.
  • Some of the applications and tools Cyber Security requires are unavailable.
  • And so on, and so on.

If your organization is leery about having joint tests at a test site, then have joint table top tests. Whatever solution you decide, remember that events do not happen in a “vacuum,” and that the worst case scenarios can oftentimes happen under different conditions.