Under Attack?
A tabletop exercise can help organisations test how they would respond to a serious ICT-related incident before one happens.
What is a cybersecurity tabletop exercise?
A cybersecurity tabletop exercise is a structured, scenario-based session that tests how an organisation would respond to a cyber incident.
Unlike a technical security test, a tabletop exercise does not usually involve live systems or active exploitation. Instead, it brings key stakeholders together and walks them through a realistic incident as it develops.
That incident could involve ransomware, a supplier compromise, a cloud outage, a phishing-led account takeover, data theft, operational disruption or an attack affecting a critical business service.
The aim is to test how people, processes and governance structures perform under pressure. A good tabletop exercise helps answer important questions:
- Who makes the decisions?
- Who escalates the incident?
- Who contacts regulators?
- Who leads internal and external communications?
- Who owns recovery priorities?
- Is evidence being captured properly?
- Are regulatory obligations understood?
This makes tabletop exercises valuable for both cyber resilience and compliance readiness.
Why tabletop exercises matter for compliance
Many regulations and standards require organisations to do more than create policies. They expect organisations to manage cyber risk, respond to incidents, maintain services, assess impact, report serious events and improve over time.
A tabletop exercise helps turn those requirements into a practical test.
An incident response policy may say that legal, compliance, communications and senior leadership should be involved during a serious cyber incident. A tabletop exercise tests whether that actually happens. It can reveal whether escalation routes are clear, whether contact lists are current, whether the organisation understands its reporting duties and whether recovery plans match operational reality.
This matters because compliance failures often happen during the response phase. An organisation may have strong documentation, but if teams cannot identify the seriousness of an incident, notify the right people, preserve evidence, communicate clearly or restore critical services, the business may face regulatory scrutiny, operational disruption and reputational damage.
A well-run tabletop exercise creates evidence of testing and improvement. Outputs can include an exercise report, lessons learned, action plans, updated playbooks, attendance records and board-level reporting. These materials can support audits, customer assurance requests and regulatory engagement.
How tabletop exercises support compliance
| Compliance Area | What the Exercise Tests | Why It Matters |
|---|---|---|
| Incident response | Escalation, containment and decision-making | Proves response plans work in practice |
| Governance | Senior leadership involvement and accountability | Supports board and management oversight |
| Reporting | Internal escalation and regulatory notification | Reduces compliance and reporting risk |
| Business continuity | Service continuity and recovery priorities | Strengthens operational resilience |
| Third-party risk | Supplier dependency and communication | Supports DORA and NIS2 expectations |
| Continual improvement | Lessons learned and corrective action | Supports ISO 27001 maturity |
How tabletop exercises support DORA compliance
The Digital Operational Resilience Act, known as DORA, has made ICT resilience a core priority for financial entities and many organisations that support the financial services sector.
DORA focuses on ICT risk management, incident handling, digital operational resilience testing, third-party ICT risk and business continuity. A tabletop exercise can help organisations test how they would respond to a serious ICT-related incident before one happens.
A DORA-focused exercise could simulate ransomware affecting a payment service, an outage at a cloud provider, disruption to a critical platform or the compromise of an important ICT third-party provider.
The exercise should test whether the organisation can:
- identify the impact on critical or important functions
- escalate the incident quickly
- classify the seriousness of the incident
- assess whether reporting obligations apply
- communicate with internal and external stakeholders
- manage disruption involving third-party providers
- recover services within realistic timeframes
The real value comes from exposing gaps early. If the exercise reveals unclear ownership, incomplete supplier contacts, weak reporting processes or uncertainty over recovery priorities, those issues can be addressed before they create regulatory or operational risk.
DORA tabletop exercise checklist
- Test a scenario involving a critical or important function
- Include ICT, risk, compliance, operations and leadership
- Test incident classification and severity assessment
- Review internal escalation and reporting triggers
- Assess third-party ICT provider dependencies
- Test continuity and recovery decisions
- Capture lessons learned and assign actions
How tabletop exercises support NIS2 compliance
NIS2 has expanded cybersecurity obligations across essential and important entities in the EU. It places greater emphasis on cyber risk management, incident handling, business continuity, crisis management, supply chain security and senior management accountability.
A NIS2-aligned tabletop exercise helps organisations test whether those obligations are understood across the business. It is especially useful for assessing how technical, operational, legal, compliance and leadership teams work together during a serious incident.
A typical NIS2 scenario could involve ransomware, disruption to an essential service, compromise of a supplier, exploitation of a known exposure or an incident affecting multiple markets.
The exercise should test:
- how quickly the organisation identifies the seriousness of the incident
- who needs to be informed
- how decisions are made
- how critical services are protected
- how supply chain implications are assessed
- how reporting obligations are reviewed
- how senior management provides oversight
This is particularly important for organisations operating across different EU jurisdictions. A single cyber incident may create different reporting and operational considerations depending on which services, systems, customers and markets are affected.
Tabletop exercises also support one of the central themes of NIS2: management accountability. Senior leaders cannot be disconnected from cyber incident response. They need to understand their role in oversight, decision-making, service continuity, public communications and investment in recovery.
NIS2 tabletop exercise checklist
- Test an incident affecting an essential or important service
- Include business continuity and crisis management teams
- Test senior management involvement
- Assess supply chain and third-party implications
- Review escalation and reporting processes
- Evaluate alignment with cyber risk management measures
- Document findings and improvement actions
How tabletop exercises support ISO 27001 compliance
ISO 27001 is built around establishing, maintaining and continually improving an information security management system. Tabletop exercises support that model by helping organisations test whether information security processes work in practice.
An ISO 27001-aligned tabletop exercise can provide evidence that incident response arrangements have been reviewed, responsibilities are understood, risks are being monitored and improvement actions are being tracked.
It can also support wider areas including business continuity planning, supplier management, awareness, leadership involvement and continual improvement.
The most important part is the follow-up. A tabletop exercise should not end when the scenario finishes. Findings should be documented, prioritised and assigned to owners. Policies, playbooks and procedures should be updated where needed. Actions should then be tracked through the organisation’s risk management or ISMS processes.
This creates a clear link between exercise findings and continual improvement. For organisations preparing for ISO 27001 certification or maintaining an existing certification, tabletop exercises can help show that incident management is not only documented, but actively tested and improved.
ISO 27001 tabletop exercise checklist
- Test incident response roles and procedures
- Include relevant control owners and stakeholders
- Assess awareness and decision-making under pressure
- Review links to business continuity processes
- Record findings formally
- Assign corrective actions
- Feed actions into the ISMS improvement process
How tabletop exercises support GDPR readiness
Cyber incidents often become data protection incidents. If personal data is involved, organisations need to assess the risk, understand the scope and decide whether notification is required.
A tabletop exercise helps test whether legal, privacy, security and communications teams can work together effectively. It can reveal whether the organisation knows what information must be gathered, how risk to individuals is assessed and who makes the final decision on notification.
A GDPR-focused scenario might involve stolen customer data, accidental exposure of sensitive records, compromised employee information or unauthorised access to a cloud platform.
The exercise should test whether the organisation can:
- identify whether personal data is involved
- assess the scope and sensitivity of the data
- determine who may be affected
- understand whether the data was protected
- make notification decisions
- prepare clear internal and external communications
- document decisions and timelines
This is valuable because real incidents are rarely clean or complete. Information may be unclear, investigations may still be underway and the organisation may be under pressure from customers, regulators or the media. Practising these scenarios helps reduce confusion when speed and accuracy matter.
GDPR tabletop exercise checklist
- Identify whether personal data is involved
- Assess data types, scope and affected individuals
- Test coordination between privacy, legal and security teams
- Evaluate breach assessment and notification decision-making
- Test communication planning
- Document timelines and evidence clearly
Decision tree: Does your organisation need a compliance-focused tabletop exercise?
What should a compliance-focused tabletop exercise include?
A compliance-focused tabletop exercise should be tailored to the organisation’s real operating environment. Generic scenarios rarely deliver the same value because they do not reflect the organisation’s services, suppliers, systems, regulatory exposure or business priorities.
A strong exercise should include:
- a realistic cyber scenario
- clear exercise objectives
- relevant participants from across the business
- staged incident developments
- decision points linked to reporting, escalation and recovery
- discussion of legal, operational and communications issues
- review of business continuity arrangements
- a final report with findings, owners and deadlines
The best exercises involve more than security and IT. Legal, compliance, operations, communications, procurement, data protection, risk and senior leadership may all need to participate, depending on the scenario.
Five questions every tabletop exercise should answer
1. Do we know when an incident becomes serious?
This tests whether teams can classify incidents properly and escalate them quickly enough.
2. Do the right people get involved quickly?
This checks whether legal, compliance, leadership, operations and communications know when to step in.
3. Can we meet reporting obligations?
This tests whether the organisation can gather the right information and assess notification requirements in time.
4. Can we keep critical services running?
This shows whether continuity and recovery plans match real business priorities.
5. Do we learn and improve afterwards?
This proves the organisation is not just testing, but strengthening resilience over time.
Common compliance gaps revealed by tabletop exercises
Tabletop exercises often expose issues that are difficult to spot in policy documents.
Common findings include unclear ownership, slow escalation, outdated contact lists, limited supplier visibility, weak evidence capture and uncertainty around regulatory reporting.
Another common weakness is over-reliance on technical teams. In reality, a major cyber incident quickly becomes a business issue. Legal, communications, operations, compliance and leadership teams may all need to make decisions before the technical investigation is complete.
That is why tabletop exercises are so useful. They reveal what needs attention before a real incident creates disruption, regulatory exposure or reputational damage.
Quick readiness checklist
Use this checklist to assess whether your organisation is ready for a compliance-focused tabletop exercise.
Planning checklist
- We know which regulations and standards apply to us
- We have an incident response plan
- We have identified critical services and systems
- We understand key third-party dependencies
- We have escalation and communications procedures
- Senior leadership is ready to participate
- We have a process for recording lessons learned
Post-exercise checklist
- Findings are documented clearly
- Gaps are prioritised by risk
- Action owners are assigned
- Deadlines are agreed
- Policies or playbooks are updated
- Follow-up testing is planned
- Results are reported to relevant stakeholders
How Integrity360 can help
Integrity360 helps organisations design and run tailored cybersecurity tabletop exercises aligned to operational and compliance priorities.
Our experts build realistic scenarios based on your threat landscape, regulatory requirements and business model. Exercises can be designed to test DORA readiness, NIS2 resilience measures, ISO 27001 incident response maturity, GDPR breach response, crisis communications, third-party disruption and board-level decision-making.
The outcome is not just an exercise. It is a clearer understanding of your readiness, your gaps and the actions needed to improve resilience.
