Has the board / leadership team sat through a tabletop exercise involving a realistic crisis scenario in the last 12 months?
Demonstrate that executive leadership has actively participated in a simulated cybersecurity crisis scenario within the past 12 months to validate governance-level incident response readiness and decision-making capabilities.
Description
What this control does
This control requires the organization's board of directors or executive leadership team to participate in a structured tabletop exercise simulating a realistic cybersecurity crisis, such as a ransomware attack, data breach, or critical system compromise, at least annually. The exercise tests executive decision-making, communication protocols, regulatory notification procedures, and coordination between technical responders and business leaders during a high-stakes incident. Regular executive participation ensures governance awareness of cyber risk, validates incident response plans at the highest level, and prepares leadership to manage reputational, legal, and operational consequences of real incidents.
Control objective
What auditing this proves
Demonstrate that executive leadership has actively participated in a simulated cybersecurity crisis scenario within the past 12 months to validate governance-level incident response readiness and decision-making capabilities.
Associated risks
Risks this control addresses
- Executive leadership makes uninformed or contradictory decisions during an actual cyber incident due to lack of practical experience with crisis protocols
- Delayed executive approval for critical incident response actions such as system shutdowns, ransom payment decisions, or public disclosure
- Board fails to understand legal, regulatory, and reputational implications of breach notification timelines and obligations
- Miscommunication between technical incident responders and executive decision-makers leads to escalated damage or prolonged recovery
- Leadership underestimates resource requirements for incident response, leading to inadequate budget allocation or vendor engagement delays
- Lack of executive familiarity with cyber insurance policy triggers and claim procedures results in coverage gaps during actual incidents
- Organization fails to meet regulatory expectations for board-level cyber risk oversight demonstrated through scenario-based testing
Testing procedure
How an auditor verifies this control
- Request documentation of all tabletop exercises conducted in the past 12 months, including agendas, scenarios, and participant lists.
- Verify that the most recent exercise occurred within the last 12 months by reviewing the dated agenda or facilitator report.
- Confirm that board members or C-level executives (CEO, CFO, COO, or equivalent) are listed as participants in the attendance records or sign-in sheets.
- Review the exercise scenario to verify it simulates a realistic cybersecurity crisis (e.g., ransomware, data breach, supply chain compromise) requiring executive decision-making rather than purely technical response.
- Examine exercise facilitation materials to confirm the scenario included decision points requiring executive action such as regulatory notification, public communication, vendor engagement, or business continuity activation.
- Interview the exercise facilitator or CISO to confirm the exercise tested governance-level processes including legal consultation, board notification procedures, and communication with external stakeholders.
- Review post-exercise documentation such as after-action reports, gap analysis, or improvement plans to verify leadership participation was documented and findings were captured.
- Confirm that any critical gaps or action items identified during the exercise have been assigned ownership and tracked through remediation or policy updates.