Incident response exercises are conducted at least annually

Implementation steps

1. 1

   Plan and schedule an annual tabletop exercise

   Choose a realistic scenario relevant to your threat landscape: ransomware affecting production systems, a data breach via a compromised vendor, or a business email compromise leading to a fraudulent wire transfer. Invite all IR role holders: the incident commander, technical lead, communications lead, legal, and an executive. A facilitator walks through the scenario step by step, asking what each person would do at each decision point.

   confluence google-slides zoom miro notion
2. 2

   Run a technical drill for specific response capabilities

   Beyond the tabletop, run a hands-on drill to test specific technical capabilities: can the team isolate a compromised endpoint within 15 minutes? Can they pull all relevant logs for a specific user across a 48-hour window? Can they reset all credentials for a compromised service account across all integrated systems? Time each step. Document where the team struggled or where tooling was missing.

   crowdstrike microsoft-defender splunk okta aws-console
3. 3

   Conduct a post-exercise review and update the IR plan

   Within one week of the exercise, hold a debrief to capture what went well, what did not, and what gaps were identified. Assign action items with owners and due dates to close each gap. Update the incident response plan to reflect lessons learned. Track exercise completion and action item closure in your compliance platform.

   confluence jira linear drata vanta

Evidence required