When did you last run a ransomware tabletop exercise with the executive team?
Demonstrate that the organization conducts regular ransomware tabletop exercises with executive participation to validate leadership preparedness, test incident response procedures, and identify gaps in crisis decision-making capabilities.
Description
What this control does
This control requires the organization to conduct periodic tabletop exercises with executive leadership to simulate ransomware incidents and test decision-making, communication protocols, and crisis response capabilities. The exercise should involve C-suite participants and board representatives, walking through realistic ransomware scenarios including encryption, extortion demands, data exfiltration, operational disruption, and media response. Regular executive engagement ensures leadership understands their roles during an incident, can make informed business continuity decisions under pressure, and recognizes gaps in preparedness before an actual attack occurs.
Control objective
What auditing this proves
Demonstrate that the organization conducts regular ransomware tabletop exercises with executive participation to validate leadership preparedness, test incident response procedures, and identify gaps in crisis decision-making capabilities.
Associated risks
Risks this control addresses
- Executive leadership makes uninformed or delayed decisions during an active ransomware event due to lack of familiarity with incident response protocols
- Board and C-suite fail to understand legal, regulatory, and financial implications of ransom payment decisions or disclosure obligations
- Communication breakdowns between technical response teams and executive leadership result in conflicting external messaging or regulatory non-compliance
- Executives underestimate recovery timelines or business impact, leading to inadequate resource allocation during containment and restoration phases
- Lack of pre-established decision criteria results in inconsistent or ad-hoc responses to extortion demands, data leak threats, or business continuity trade-offs
- Crisis response plans remain untested at the executive level, revealing critical gaps only when an actual ransomware incident occurs
- Leadership fails to coordinate with legal counsel, insurance carriers, law enforcement, and PR teams during the critical early hours of an incident
Testing procedure
How an auditor verifies this control
- Request documentation of all tabletop exercises conducted in the past 24 months, including agendas, participant lists, scenarios, and facilitator notes.
- Verify that at least one exercise within the audit period specifically focused on ransomware scenarios and included realistic attack vectors, encryption timelines, and ransom demands.
- Review participant attendance records to confirm executive-level attendance including at least two C-suite officers (CEO, CFO, COO, CIO, CISO, or General Counsel).
- Examine the exercise scenario documentation to verify it addressed key decision points including ransom payment evaluation, legal notification requirements, business continuity activation, and external communications.
- Interview the exercise facilitator or CISO to understand what gaps or deficiencies were identified during the executive tabletop session.
- Review post-exercise after-action reports and improvement plans to verify findings were documented and assigned ownership for remediation.
- Trace a sample of identified gaps from the most recent exercise to corrective action tracking systems to confirm remediation progress or completion.
- Verify that the organization has scheduled or planned the next executive ransomware tabletop exercise within an appropriate recurring timeframe (annually or semi-annually).