Tabletop exercise within last 12 months
Demonstrate that the organization has conducted at least one tabletop exercise within the past 12 months to validate incident response or business continuity procedures, document findings, and remediate identified gaps.
Description
What this control does
A tabletop exercise is a facilitated discussion-based session where stakeholders walk through incident response, business continuity, or disaster recovery scenarios in a controlled, low-pressure environment. The exercise tests the organization's preparedness, validates response procedures, identifies gaps in plans or communication channels, and builds muscle memory for real incidents without disrupting operations. Regular annual tabletop exercises ensure plans remain current, personnel understand their roles, and the organization can respond effectively to evolving threats.
Control objective
What auditing this proves
Demonstrate that the organization has conducted at least one tabletop exercise within the past 12 months to validate incident response or business continuity procedures, document findings, and remediate identified gaps.
Associated risks
Risks this control addresses
- Incident response team members fail to execute critical steps during an actual security incident due to lack of practice or unfamiliarity with procedures
- Communication breakdowns between technical, legal, executive, and public relations teams delay containment and increase breach impact
- Outdated or incomplete runbooks result in incorrect actions that exacerbate system damage or data loss
- Third-party dependencies or vendor escalation paths are untested, causing delays in engaging external support during time-sensitive incidents
- Regulatory notification timelines are missed because personnel are unaware of legal obligations or designated points of contact
- Business continuity plans fail to account for current infrastructure or staffing changes, leading to prolonged downtime
- Decision-making authority and approval workflows remain ambiguous, causing paralysis during high-stakes response activities
Testing procedure
How an auditor verifies this control
- Request documentation of all tabletop exercises conducted within the preceding 12 months, including invitations, attendance records, and session agendas.
- Verify the date of the most recent tabletop exercise to confirm it occurred within the last 12 calendar months from the audit date.
- Review the exercise scenario materials to assess realism, relevance to organizational threat landscape, and alignment with documented incident response or business continuity plans.
- Examine the participant roster to confirm involvement of appropriate stakeholders across technical, legal, executive, communications, and operational functions.
- Analyze the facilitator notes, debriefing summary, or after-action report to identify documented findings, gaps, or procedural weaknesses discovered during the exercise.
- Trace identified gaps or recommendations to remediation tracking artifacts such as action item registers, JIRA tickets, or corrective action plans with assigned owners and due dates.
- Interview a sample of participants to validate their understanding of lessons learned and confirm implementation of corrective actions.
- Compare the exercise objectives to the organization's risk register or threat model to ensure scenarios reflect material risks relevant to operations.
Where this control is tested