CIP-009 R2.1 requires testing of recovery plans by which of the following methods?

CIP-009 R2.1 emphasizes the importance of validating recovery plans to ensure they are effective in restoring systems and operations after a cybersecurity incident. The requirement specifically allows for testing through recovery from an incident or conducting a drill. This practical approach not only tests the plan's effectiveness during a simulated scenario but also prepares the recovery team for real-world application. Such drills can reveal weaknesses in the recovery procedures and provide valuable insights for improvement, thereby promoting preparedness and resilience.

Using real incidents as a means of testing recovery plans, while being realistic, is not the preferable option due to the inherent risks involved. Alternatively, only relying on theoretical discussions or meetings does not provide the hands-on experience necessary to evaluate and refine the recovery process effectively. Therefore, the focus on recovery through incidents or drills ensures that organizations are ready to respond to actual events with a tested strategy.