Annual Break-Glass Testing The Technical Owner tests the break-glass procedure at least annually through a simulated exercise. The exercise verifies that the technical stop mechanism works correctly (in-application stop button, infrastructure kill switch, and feature flag all function as documented), the notification chain delivers alerts to all recipients, affected deployers receive timely communication through the pre-established channels, and the system can be restarted through the documented resumption process. The exercise is conducted during a maintenance window under controlled conditions. Test results and any deficiencies identified are documented. Deficiencies are remediated and re-tested before the exercise is marked as complete. Exercise records are retained as Module 7 evidence. A break-glass mechanism that has never been tested may not work when needed. Annual testing provides confidence that the mechanism will function under the time pressure of a real incident. Key outputs

• Annual simulated exercise during maintenance window
• Four verification areas (stop mechanism, notification, deployer communication, resumption)
• Deficiency remediation and re-testing
• Exercise records retained as Module 7 evidence