rr-6 Medium priority Response and Recovery / Response and Recovery

Incident response exercises are conducted at least annually

A plan that has never been tested is a hypothesis. Tabletop exercises and drills reveal gaps in the plan, unfamiliar processes, missing tools, and communication failures before a real incident exposes them under worse conditions. Even a two-hour tabletop exercise with a realistic scenario produces insights that months of plan review never would. The lessons from each exercise must be captured and used to update the plan.

Complete first: rr-1 , rr-2

Implementation steps

  1. 1

    Plan and schedule an annual tabletop exercise

    Choose a realistic scenario relevant to your threat landscape: ransomware affecting production systems, a data breach via a compromised vendor, or a business email compromise leading to a fraudulent wire transfer. Invite all IR role holders: the incident commander, technical lead, communications lead, legal, and an executive. A facilitator walks through the scenario step by step, asking what each person would do at each decision point.

    confluence google-slides zoom miro notion
  2. 2

    Run a technical drill for specific response capabilities

    Beyond the tabletop, run a hands-on drill to test specific technical capabilities: can the team isolate a compromised endpoint within 15 minutes? Can they pull all relevant logs for a specific user across a 48-hour window? Can they reset all credentials for a compromised service account across all integrated systems? Time each step. Document where the team struggled or where tooling was missing.

    crowdstrike microsoft-defender splunk okta aws-console
  3. 3

    Conduct a post-exercise review and update the IR plan

    Within one week of the exercise, hold a debrief to capture what went well, what did not, and what gaps were identified. Assign action items with owners and due dates to close each gap. Update the incident response plan to reflect lessons learned. Track exercise completion and action item closure in your compliance platform.

    confluence jira linear drata vanta

Evidence required

Exercise records and post-exercise action items

Evidence that an IR exercise was conducted within the past 12 months and that lessons learned were acted on.

  • - Exercise scenario document and attendee list with date
  • - Post-exercise debrief notes capturing gaps identified
  • - Action item tracker showing improvements made to the IR plan

Related controls