A tabletop exercise can help organisations test how they would respond to a serious ICT-related incident before one happens.
A cybersecurity tabletop exercise is a structured, scenario-based session that tests how an organisation would respond to a cyber incident.
Unlike a technical security test, a tabletop exercise does not usually involve live systems or active exploitation. Instead, it brings key stakeholders together and walks them through a realistic incident as it develops.
That incident could involve ransomware, a supplier compromise, a cloud outage, a phishing-led account takeover, data theft, operational disruption or an attack affecting a critical business service.
The aim is to test how people, processes and governance structures perform under pressure. A good tabletop exercise helps answer important questions:
This makes tabletop exercises valuable for both cyber resilience and compliance readiness.
Many regulations and standards require organisations to do more than create policies. They expect organisations to manage cyber risk, respond to incidents, maintain services, assess impact, report serious events and improve over time.
A tabletop exercise helps turn those requirements into a practical test.
An incident response policy may say that legal, compliance, communications and senior leadership should be involved during a serious cyber incident. A tabletop exercise tests whether that actually happens. It can reveal whether escalation routes are clear, whether contact lists are current, whether the organisation understands its reporting duties and whether recovery plans match operational reality.
This matters because compliance failures often happen during the response phase. An organisation may have strong documentation, but if teams cannot identify the seriousness of an incident, notify the right people, preserve evidence, communicate clearly or restore critical services, the business may face regulatory scrutiny, operational disruption and reputational damage.
A well-run tabletop exercise creates evidence of testing and improvement. Outputs can include an exercise report, lessons learned, action plans, updated playbooks, attendance records and board-level reporting. These materials can support audits, customer assurance requests and regulatory engagement.
| Compliance Area | What the Exercise Tests | Why It Matters |
|---|---|---|
| Incident response | Escalation, containment and decision-making | Proves response plans work in practice |
| Governance | Senior leadership involvement and accountability | Supports board and management oversight |
| Reporting | Internal escalation and regulatory notification | Reduces compliance and reporting risk |
| Business continuity | Service continuity and recovery priorities | Strengthens operational resilience |
| Third-party risk | Supplier dependency and communication | Supports DORA and NIS2 expectations |
| Continual improvement | Lessons learned and corrective action | Supports ISO 27001 maturity |
The Digital Operational Resilience Act, known as DORA, has made ICT resilience a core priority for financial entities and many organisations that support the financial services sector.
DORA focuses on ICT risk management, incident handling, digital operational resilience testing, third-party ICT risk and business continuity. A tabletop exercise can help organisations test how they would respond to a serious ICT-related incident before one happens.
A DORA-focused exercise could simulate ransomware affecting a payment service, an outage at a cloud provider, disruption to a critical platform or the compromise of an important ICT third-party provider.
The exercise should test whether the organisation can:
The real value comes from exposing gaps early. If the exercise reveals unclear ownership, incomplete supplier contacts, weak reporting processes or uncertainty over recovery priorities, those issues can be addressed before they create regulatory or operational risk.
NIS2 has expanded cybersecurity obligations across essential and important entities in the EU. It places greater emphasis on cyber risk management, incident handling, business continuity, crisis management, supply chain security and senior management accountability.
A NIS2-aligned tabletop exercise helps organisations test whether those obligations are understood across the business. It is especially useful for assessing how technical, operational, legal, compliance and leadership teams work together during a serious incident.
A typical NIS2 scenario could involve ransomware, disruption to an essential service, compromise of a supplier, exploitation of a known exposure or an incident affecting multiple markets.
The exercise should test:
This is particularly important for organisations operating across different EU jurisdictions. A single cyber incident may create different reporting and operational considerations depending on which services, systems, customers and markets are affected.
Tabletop exercises also support one of the central themes of NIS2: management accountability. Senior leaders cannot be disconnected from cyber incident response. They need to understand their role in oversight, decision-making, service continuity, public communications and investment in recovery.
ISO 27001 is built around establishing, maintaining and continually improving an information security management system. Tabletop exercises support that model by helping organisations test whether information security processes work in practice.
An ISO 27001-aligned tabletop exercise can provide evidence that incident response arrangements have been reviewed, responsibilities are understood, risks are being monitored and improvement actions are being tracked.
It can also support wider areas including business continuity planning, supplier management, awareness, leadership involvement and continual improvement.
The most important part is the follow-up. A tabletop exercise should not end when the scenario finishes. Findings should be documented, prioritised and assigned to owners. Policies, playbooks and procedures should be updated where needed. Actions should then be tracked through the organisation’s risk management or ISMS processes.
This creates a clear link between exercise findings and continual improvement. For organisations preparing for ISO 27001 certification or maintaining an existing certification, tabletop exercises can help show that incident management is not only documented, but actively tested and improved.
Cyber incidents often become data protection incidents. If personal data is involved, organisations need to assess the risk, understand the scope and decide whether notification is required.
A tabletop exercise helps test whether legal, privacy, security and communications teams can work together effectively. It can reveal whether the organisation knows what information must be gathered, how risk to individuals is assessed and who makes the final decision on notification.
A GDPR-focused scenario might involve stolen customer data, accidental exposure of sensitive records, compromised employee information or unauthorised access to a cloud platform.
The exercise should test whether the organisation can:
This is valuable because real incidents are rarely clean or complete. Information may be unclear, investigations may still be underway and the organisation may be under pressure from customers, regulators or the media. Practising these scenarios helps reduce confusion when speed and accuracy matter.
A compliance-focused tabletop exercise should be tailored to the organisation’s real operating environment. Generic scenarios rarely deliver the same value because they do not reflect the organisation’s services, suppliers, systems, regulatory exposure or business priorities.
A strong exercise should include:
The best exercises involve more than security and IT. Legal, compliance, operations, communications, procurement, data protection, risk and senior leadership may all need to participate, depending on the scenario.
This tests whether teams can classify incidents properly and escalate them quickly enough.
This checks whether legal, compliance, leadership, operations and communications know when to step in.
This tests whether the organisation can gather the right information and assess notification requirements in time.
This shows whether continuity and recovery plans match real business priorities.
This proves the organisation is not just testing, but strengthening resilience over time.
Tabletop exercises often expose issues that are difficult to spot in policy documents.
Common findings include unclear ownership, slow escalation, outdated contact lists, limited supplier visibility, weak evidence capture and uncertainty around regulatory reporting.
Another common weakness is over-reliance on technical teams. In reality, a major cyber incident quickly becomes a business issue. Legal, communications, operations, compliance and leadership teams may all need to make decisions before the technical investigation is complete.
That is why tabletop exercises are so useful. They reveal what needs attention before a real incident creates disruption, regulatory exposure or reputational damage.
Use this checklist to assess whether your organisation is ready for a compliance-focused tabletop exercise.
Integrity360 helps organisations design and run tailored cybersecurity tabletop exercises aligned to operational and compliance priorities.
Our experts build realistic scenarios based on your threat landscape, regulatory requirements and business model. Exercises can be designed to test DORA readiness, NIS2 resilience measures, ISO 27001 incident response maturity, GDPR breach response, crisis communications, third-party disruption and board-level decision-making.
The outcome is not just an exercise. It is a clearer understanding of your readiness, your gaps and the actions needed to improve resilience.