Test the Incident Response Plan
Plain English Translation
A written incident response plan is only useful if the organization knows how to execute it under pressure. CyberSecure Canada requires organizations to conduct regular incident response plan testing, such as a cybersecurity tabletop exercise, to validate that procedures work as intended. This testing must include relevant third-party vendors and managed service providers to ensure everyone is aligned on communication and recovery efforts before a real crisis occurs.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Schedule an annual internal walkthrough of the incident response plan with the core team.
- Use a simple scenario, such as a localized malware infection, to verify contact lists and basic procedures.
- Document the date, participants, and a few lessons learned as proof of testing.
Required Actions (scaleup)
- Run a structured incident response tabletop exercise using a detailed scenario like a ransomware attack or data breach.
- Involve critical third-party IT service providers or managed service providers in the exercise.
- Formalize the creation of an after-action report to track identified gaps and remediation tasks.
Required Actions (enterprise)
- Conduct complex, multi-scenario functional drills simulating significant business disruption.
- Include non-IT stakeholders such as legal, human resources, and public relations in the testing.
- Test out-of-band communication methods and alternate recovery sites to ensure total resilience.
Evidence Required
Organizations should conduct incident response plan testing at least annually, or immediately following significant changes to the IT environment, personnel changes, or a real cyber incident.
A cybersecurity tabletop exercise is a discussion-based session where the response team walks through a simulated threat scenario step-by-step to evaluate the plan's effectiveness in a low-stress environment.
To provide incident response plan testing documentation evidence for auditors, retain the exercise scenario, a list of participants, the date it was held, and an after-action report detailing lessons learned and planned improvements.
Invite key contacts from your managed service providers or hosting vendors to participate directly in the tabletop exercise to validate communication protocols, service level agreements, and shared security responsibilities.
Testing should cover the most likely and impactful threats to the organization, particularly incident response plan testing scenarios like a ransomware infection, a major data breach, business email compromise, or an insider threat.
A tabletop exercise is a verbal discussion of a scenario; a functional drill involves hands-on testing of specific technical tasks like restoring a backup; a full simulation mimics a live incident that affects production systems and operations.
Testing should include the primary IT and security responders, alongside key stakeholders from executive leadership, legal counsel, human resources, and public relations, as cyber incidents affect the entire business.
Success is measured by comparing the team's actions against the documented procedures, evaluating communication efficiency, tracking hypothetical recovery times, and determining if the overall business impact was effectively mitigated.
Review the incident response plan exercise after action report to identify gaps or outdated information, update the written procedures and contact lists accordingly, and distribute the revised plan to all stakeholders.
Section 5.1.2.3 requires the organization to test the incident response plan to ensure it meets its intended outcomes, and mandates that relevant third-party cyber security service providers be included in the testing where appropriate.
Incident response testing often creates follow-up work (policy updates, new controls, vendor action items) that can get lost across emails and tickets. Tools like WatchDog Security's Compliance Center can map each exercise to this control, attach the tabletop materials and after-action report as evidence, and track remediation tasks to closure so the next test validates measurable improvements.
Including providers in exercises is useful, but it also adds coordination and proof requirements (who attended, what was agreed, what SLAs and handoffs were validated). Tools like WatchDog Security's Vendor Risk Management can maintain vendor contacts and criticality, record exercise participation, and store the resulting communications and evidence needed to demonstrate that third-party roles were tested where appropriate.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-24 | WatchDog Security GRC Team | Initial publication |
