1. Document Control

• Document Title: Business Continuity Plan Testing Procedure

• Document Identifier: PRC-ALL-006

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Director of Business Continuity>

• Approved By: <Risk Management Committee>

2. Purpose

The purpose of this procedure is to define the methods, responsibilities, and requirements for conducting regular testing of ’s Business Continuity Plan (BCP) to ensure its effectiveness in maintaining operations during and after disruptive incidents. This document supports the organization's resilience objectives and validates preparedness to manage events such as cyberattacks, natural disasters, and infrastructure failures.

Aligned with SOC 2 Trust Services Criteria A1.1 and A1.2, this testing procedure ensures that the organization (1) designs controls to meet availability commitments and (2) regularly evaluates these controls via simulated testing scenarios. Proper execution and documentation of these tests enable to validate recovery capabilities, identify procedural gaps, and continuously improve its incident response and continuity framework.

3. Scope

This procedure applies to all business units, departments, and critical services defined in the organization’s Business Continuity Plan. It includes internal systems, third-party dependencies, remote work configurations, cloud-hosted platforms, and essential personnel.

The scope of testing includes:

• System recovery testing (e.g., restore from backup, failover validation)

• Communication protocol validation

• Manual workarounds and resource reallocation drills

• Emergency response simulations (e.g., tabletop exercises, fire drills)

• Vendor contingency testing, where contractually permitted

All business units identified as critical in the Business Impact Analysis (BIA) must participate in BCP testing at least once per year.

4. Policy Statement

shall conduct structured and scheduled BCP tests to evaluate the readiness and resilience of its operations against disruptive events. These tests must be coordinated, documented, and followed by a formal review and corrective action plan if deficiencies are identified.

Key requirements include:

• Conducting full or partial BCP tests at least annually

• Including representatives from IT, Operations, HR, Legal, and Communications

• Testing all critical business functions and IT systems as defined in the BIA

• Documenting test objectives, execution steps, outcomes, and lessons learned

• Updating the BCP and DRP (Disaster Recovery Plan) as necessary based on findings

Tests must be realistic, scenario-based, and involve key personnel to simulate actual response conditions.

5. Safeguards

The following procedural controls support the secure and effective execution of BCP testing: