← Controls / CP

CP-04 Contingency Plan Testing And Exercises

Contingency Planning

Low Moderate High

Description

The organization: (i) tests and/or exercises the contingency plan for the information system [Assignment: organization-defined frequency, at least annually] using [Assignment: organization-defined tests and/or exercises] to determine the plan’s effectiveness and the organization’s readiness to execute the plan; and (ii) reviews the contingency plan test/exercise results and initiates corrective actions.

Supplemental Guidance

There are several methods for testing and/or exercising contingency plans to identify potential weaknesses (e.g., full-scale contingency plan testing, functional/tabletop exercises). The depth and rigor of contingency plan testing and/or exercises increases with the FIPS 199 impact level of the information system. Contingency plan testing and/or exercises also include a determination of the effects on organizational operations and assets (e.g., reduction in mission capability) and individuals arising due to contingency operations in accordance with the plan. NIST Special Publication 800-84 provides guidance on test, training, and exercise programs for information technology plans and capabilities.

Compliance Mappings

ISO 27001:2022

A.5.29

ISO 27002:2022

5.295.30

COBIT 2019

DSS04

CIS Controls v8

CIS 11.5

NIST CSF 2.0

ID.IM-02ID.IM-04

SOC 2 TSC

A1.3CC7.4-POF10CC7.5

CSA CCM v4

BCR-04BCR-06BCR-10

CSA AICM v1

BCR-04BCR-06BCR-10

NIS2 Directive

Art. 21(2)(c)

PRA Operational Resilience

SS1/21-6.1SS1/21-6.2SS2/21-10.1

MAS TRM

8

BSI IT-Grundschutz

DER.4

ANSSI

Hygiene.35SecNumCloud.18.2

FINMA Circular 2023/1

IV.E(94)IV.E(95)IV.E(96)IV.F(97)

OSFI B-13

B-13.2.6B-13.3.5

EU GDPR

Art.32(1)(d)

EU DORA

Art.11(6)Art.11(7)

BIO2

5.295.30

RBI CSF

ITGRCA.29

FISC Security Guidelines

FISC.O5

HKMA TM-E-1

TME1.6.3

MLPS 2.0

8.1.10.118.1.10.9

DNB Good Practice

DNB.11.2

SWIFT CSCF

SWIFT.7.4A

NCA ECC

3-13-2

UAE IA

T12

CBB TM

TM-14

Qatar NIA

BC

CBUAE

CR-13

CBE CSF

OVM-2

SA JS2

JS2-7.5

CBN CSF

Part3.6Part3.7Part3.8

BoG CISD

CISD-BCMCISD-X

BoM CTRM

5.2

IOSCO Cyber Resilience

LE-1PFMI-17RR-5TEST-1TEST-4TEST-5

CPMI-IOSCO PFMI

CG.RRCG.TEPFMI.P17

NYDFS 500

500.16

HIPAA Security Rule

§164.308(a)(7)(i)§164.308(a)(7)(ii)(D)

ECB CROE

CROE.2.5.2CROE.2.6.1

EBA ICT Guidelines

3.7.4

SEBI CSCRF

BCP-DRCCMPRC.IMRC.RP

BOT Cyber Resilience

Ch4.2

NERC CIP

CIP-009-6

10 CFR 73.54

RG5.71-B-CP

DOE C2M2 v2.1

RESPONSE

API 1164

Sec 11

AWIA

Sec 2013(b)

IAEA NSS 17-T

Sec 8

Solvency II

DR.266-BCPDR.274EIOPA-ICT-4.10

Lloyd's Minimum Standards

CRM.3MS8.6MS9.2

NAIC Insurance Data Security

4F-b

PRA SS1/23

P5.4

FCA SYSC 13

SYSC 13.8.1SYSC 13.8.2SYSC 13.9.5

HITRUST CSF v11

12.b12.c

ISO 27799

17.1

NHS DSPT

NDG-7.1NDG-7.3

CCSS v9.0

1.06.3

MiCA

Art.68(5)Art.62(6)

Basel SCO60

SCO60.23SCO60.53

BSSC Standards

GSP-06

SEC Custody (Digital Assets)

SEC-CD-12SEC-CD-13

ISO 17799 (legacy)

10.5.114.1.5

COBIT 4.1 (legacy)

DS4.2DS4.5