30CNCyber security exercise

#### 30CN Cyber security exercise (1) A cyber security exercise is an exercise: (a) that is undertaken by the responsible entity for a system of national significance; and (b) that relates to the system; and (c) that either: (i) relates to all types of cyber security incidents; or (ii) relates to one or more specified types of cyber security incidents; and (d) if the exercise relates to all types of cyber security incidents—the purpose of which is to: (i) test the entity’s ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and (ii) test the entity’s preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and (iii) test the entity’s ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system; and (e) if the exercise relates to one or more specified types of cyber security incidents—the purpose of which is to: (i) test the entity’s ability to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and (ii) test the entity’s preparedness to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and (iii) test the entity’s ability to mitigate the relevant impacts that those types of cyber security incidents could have on the system; and (f) that complies with such requirements (if any) as are specified in the rules. (2) Requirements specified under paragraph (1)(f): (a) may be of general application; or (b) may relate to one or more specified systems of national significance; or (c) may relate to one or more specified types of cyber security incidents. > Note: For specification by class, see subsection 13(3) of the Legislation Act 2003. (3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901.