Tabletop Exercise
Definition
A tabletop exercise (TTX) is a structured, discussion-based simulation where relevant stakeholders walk through a realistic security or resilience scenario to validate plans, clarify decision-making, and identify gaps—without executing technical changes in production. In ISO/IEC 27001 programs, tabletop exercises are commonly used to test incident management processes and preparedness, supporting continual improvement by verifying that roles, procedures, communications, and escalation paths work as intended in practice. A well-run TTX uses a facilitator, a defined scope (e.g., ransomware, insider misuse, cloud outage), timed “injects” (new facts introduced during the exercise), and agreed success criteria such as response time targets, notification thresholds, and evidence capture. Outputs typically include an after-action report, corrective actions, and updates to policies, runbooks, training, and contact trees. Similar activities exist across other security and assurance approaches (for example, incident response exercises, crisis management simulations, and continuity tests), but a TTX specifically emphasizes coordination, governance decisions, and operational readiness rather than hands-on technical execution.
Real-World Examples
Startup ransomware response walkthrough
A small team rehearses containment steps, customer communications, and restore priorities using a ransomware scenario and timed injects.
Enterprise data breach escalation test
Security, legal, privacy, and communications teams validate notification thresholds, approvals, and evidence handling for a suspected breach.
Cloud outage and continuity coordination
Operations and business owners review failover decisions, manual workarounds, and recovery objectives during a regional cloud disruption.
A tabletop exercise is a facilitator-led, discussion-based simulation where teams walk through an incident scenario to validate roles, decisions, communications, and documented response procedures.
Define scope and objectives, select a realistic scenario, identify participants and roles, prepare injects and timelines, facilitate decisions, and document outcomes with clear action items and owners.
Include incident response leads, IT/engineering, security, executives or incident commanders, communications, legal/privacy as needed, and business owners who approve priorities and customer impact decisions.
Many organizations run them at least annually and after major changes, with higher frequency for high-risk systems, new teams, or lessons learned from incidents and near-misses.
Common scenarios include ransomware with backup impairment, credential compromise leading to data access, third-party breach notification, insider misuse, and double-extortion demands with media pressure.
Ask who is in charge, what evidence is needed, when to escalate, how to communicate internally and externally, what systems to isolate, what priorities guide recovery, and what triggers notifications.
A typical TTX lasts 60–120 minutes and follows a brief intro, scenario briefing, timed injects, decision checkpoints, communications review, and a debrief that captures gaps and improvements.
A tabletop is discussion-based, a drill practices specific tasks (like paging or restore steps), and a full-scale exercise runs end-to-end operations—often involving live systems, tooling, and broader coordination.
Record decisions, timelines, observed strengths and gaps, root causes, and remediation actions with owners and due dates, then update plans, runbooks, training, and metrics based on findings.
Keep the exercise plan, attendee list, scenario and injects, meeting notes, decision logs, communications drafts, the after-action report, and tracked corrective actions showing closure and improvements.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
