id-im-2 medium Identify / Improvement

Improvements are identified from security tests and exercises

Security tests and exercises reveal gaps that document reviews miss. A tabletop exercise will surface gaps in your incident response plan that look fine on paper but break down under the pressure of a simulated crisis. A penetration test will find the path through your controls that your team missed because they built them. Without regular testing, you are flying on assumption rather than evidence.

Estimated effort: 4h

penetration-testingtabletopexercisesred-teamimprovement

Implementation steps

1

Establish a testing calendar with at least one exercise per year

Plan at least one annual penetration test for your external attack surface and one tabletop exercise for your incident response team. Higher-maturity organizations add quarterly phishing simulations, annual red team engagements, and regular purple team sessions. Put these on the calendar at the start of the year so they do not get crowded out.
2

Conduct tests and document findings

Run tests with clear scope, objectives, and rules of engagement. For penetration tests, require a formal report with a findings list, severity ratings, and reproduction steps. For tabletop exercises, have a facilitator document decisions made, gaps identified, and action items raised. These records are the inputs to your improvement process.

confluencenotiongoogle-docs
3

Convert test findings into tracked improvements

Treat test findings the same as audit findings: each item gets an owner, a due date, and a tracking entry. Include test-derived improvements in your security roadmap. Verify that previously identified issues have been closed before the next test covers the same scope.

jiralinearconfluence