Establish a risk-based digital operational resilience testing program encompassing identification, classification, and full remediation of test deficiencies based on risk landscape and criticality of assets and services. Utilize independent internal or external parties for conducting tests, ensuring clear Segregation of Duties (SoD). Conduct yearly tests on all systems and applications supporting critical or important functions (see controls 19-20 for the digital operational resilience tests). 

Employ a range of tests including vulnerability assessments, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires, scanning software solutions, source code reviews (where applicable), scenario-based tests, compatibility testing, performance testing, end-to-end testing, and penetration testing as appropriate.