The CISSP exam does not ask whether your organization has a disaster recovery plan.

It asks whether you have tested it.

Because a plan that has never been tested has never actually worked.

Six types of tests exist - from the simplest checklist review to a full interruption test where primary systems are actually shut down.

Most organizations only ever do the first two.

Most incidents expose why that is not enough.