When did you last run a tabletop exercise involving the executive team?
Demonstrate that the organization conducts regular tabletop exercises with executive team participation to validate incident response readiness and executive decision-making capabilities during cybersecurity crises.
Description
What this control does
Tabletop exercises involving executive leadership simulate crisis scenarios to validate incident response plans, test decision-making under pressure, and clarify communication protocols during cybersecurity events. These exercises engage C-suite and board members in realistic threat scenarios—such as ransomware, data breaches, or supply chain attacks—to identify gaps in governance, escalation paths, and business continuity readiness. Executive participation ensures organizational alignment between technical response capabilities and business impact management, while fostering a culture of preparedness at the highest levels.
Control objective
What auditing this proves
Demonstrate that the organization conducts regular tabletop exercises with executive team participation to validate incident response readiness and executive decision-making capabilities during cybersecurity crises.
Associated risks
Risks this control addresses
- Executives make uninformed or conflicting decisions during active incidents due to lack of familiarity with response protocols
- Critical business decisions are delayed because leadership lacks understanding of technical impact, severity classification, or escalation triggers
- Incident response plans fail to address business continuity priorities or regulatory notification obligations understood only by executive stakeholders
- Communication breakdowns occur between technical responders and executive leadership, resulting in misaligned public statements or stakeholder notifications
- Legal, regulatory, or contractual obligations are overlooked during crisis response because executive decision-makers have never rehearsed compliance scenarios
- Board or investors lose confidence in organizational cyber-resilience due to absence of demonstrated preparedness at the governance level
- Tabletop findings revealing control gaps or resource deficiencies are never surfaced to decision-makers with budget authority
Testing procedure
How an auditor verifies this control
- Request documentation of all tabletop exercises conducted in the past 12 months, including exercise plans, participant rosters, and after-action reports.
- Verify that at least one tabletop exercise included participants from the executive team (CEO, CFO, CIO, CISO, General Counsel, or equivalent C-suite roles).
- Review the exercise scenario to confirm it addressed a relevant cybersecurity crisis (e.g., ransomware attack, data breach with regulatory notification requirements, supply chain compromise, insider threat).
- Examine the participant roster and sign-in records to validate actual attendance and active participation by named executive stakeholders during the exercise.
- Assess the after-action report for documented findings, identified gaps in decision-making or escalation procedures, and executive-level action items or remediation plans.
- Confirm that remediation actions identified in the after-action report have been assigned owners, tracked, and either completed or formally accepted as residual risk.
- Review the exercise facilitation methodology to ensure it included realistic decision points requiring executive judgment (e.g., authorization for external counsel, public disclosure decisions, ransom payment considerations).
- Verify that the organization has a documented schedule or policy requiring executive tabletop exercises at a defined frequency (e.g., annually or biannually).