Tabletop Exercise (Krisenübung) - Definition & Explanation

Tabletop Exercise (TTX) is the most cost-effective form of crisis prevention: Everyone sits down together, the facilitator describes an attack scenario, and all participants discuss what they would do next—based on their actual roles and processes. The results are often surprising: Almost every company discovers critical gaps.

Why Tabletop Exercises Are Indispensable

The Problem with Incident Response Plans:

Created once—and then never opened again
Stored in the wiki, but no one knows about them
Describe processes that don’t work in reality
Assumptions (“the IT director is reachable”) are incorrect

What a TTX Reveals:

> "Who decides whether we shut down operations?" - Answer: Silence → no one knows for sure

> "How do we notify customers in the event of a data breach?" - Answer: "Does... Marketing handle that? Management? Legal?"

> "Do we have offline backups we can use in the event of a ransomware attack?" - Answer: "I think so... but I’d have to ask IT"

Result: Gaps become visible BEFORE they cost us in a real emergency.

Types of Tabletop Exercises

1. Simple TTX (Discussion-Based)

Facilitator presents scenario
Team discusses response
No time limits, no stress
Good for: Initial familiarization with the plan, awareness
Duration: 2–3 hours

2. Advanced TTX (Injected Events)

Facilitator introduces new information during the exercise
"Breaking News: Your data has appeared on the dark web"
"Your CEO just gave an interview"
Tests adaptability
Duration: 4–6 hours

3. Full-Scale Crisis Exercise (Functional Exercise)

All roles active (IT, Management, Legal, Marketing, HR)
Role-playing: Press simulator, customer calls (simulated)
Time pressure and realistic stress simulation
Duration: 1 full day

4. Full-Scale Exercise

Partial integration of live systems (test failover)
Only for very mature BCM programs
Duration: 1–3 days

> Recommendation for SMEs: Type 1 or 2, annually or semi-annually.

Procedure for a Ransomware Tabletop Exercise

Preparation (1 week in advance)

Define the objective: What do we want to test?
Invite participants: IT, management, HR, Legal, Marketing, external partners if applicable
Select scenario: Ransomware attack (most common use case)
Distribute materials: IR plan, contact lists, BCP documents
Brief the moderator: Prepare injection cards

Exercise Day - Scenario "Monday, 7:30 AM"

[Facilitator]: "It’s Monday morning. The IT help desk receives the first calls: Windows computers are displaying a red message—all files have been encrypted. A ransom demand: 500,000 EUR in Bitcoin."

Inject cards (timed):

Time	Inject
8:00 AM	"The local system administrator is on vacation. Unreachable."
9:00 AM	"A journalist from the WAZ calls – does he already have the story?"
10:30	"The BSI is in touch: Was this a state-sponsored attacker?"
11:00	"Your partner hospital is also affected"
12:00	"NIS2 requirement: Report to the BSI by 5:00 PM today"
14:00	"An employee panicked and reset their laptop"

Discussion questions for each scenario:

"What do you do now?"
"Who makes the decisions?"
"What do you communicate?"
"Do you have your IT service provider’s emergency number handy?"
"Which systems do you prioritize during recovery?"

Debriefing (last 60 minutes)

"What went well?"
"Where did we realize we were prepared?"
"What do we need to improve?"
Action plan: who does what by when?

The most common insights from TTX

Communication (almost always an issue)

No up-to-date emergency contacts (personal, not @company.com!)
No clear chain of command
Management and IT speak different languages
No defined external communication channel (if email/Slack is encrypted)
Press relations are nobody’s responsibility

Technical

Backup status unclear (“I think we have backups”)
No offline copies (all backups are also encrypted)
No asset list → unclear which systems are critical
Forensic capabilities not defined

Organizational

Decision-makers unreachable / on vacation
IR plan not rehearsed → no one really knows it
NO IR retainer agreement with an external service provider
Cyber insurance in place but process unclear

Regulatory

BSI reporting requirement (NIS2: 24 hours!) unknown
GDPR reporting requirement (72 hours to supervisory authority) unknown
Competent supervisory authority unknown

Planning a Tabletop Exercise - Checklist

Preparation

Define objective and scope (What are we testing? What are we NOT testing?)
Participants: all relevant roles (not just IT!)
Select scenario: ransomware / data breach / DDoS / insider threat
Write injection cards (5–8 are sufficient for a 4-hour exercise)
Facilitator: internal or external (external facilitator = more objective)
Materials: IR plan, emergency checklist, insurance policy
Set timeframe (4–6 hours for a medium-sized TTX)

Execution

Explain the rules: “This exercise is not a criticism. The goal is improvement.”
Simulate time pressure (without overwhelming participants)
Document all decisions and discussions
Do not "let anyone win" - Incorporate stressful situations

Follow-up

Hot Wash: immediate feedback directly after the exercise
Write an After Action Report
Action plan: specific "Who does what by when"
Update IR plan
Plan next TTX (at least annually, preferably semi-annually)

TTX and NIS2 / ISO 27001

NIS2 (Art. 21(2b) – Incident Handling)

Incident response plan is MANDATORY
Tabletop exercises are a verifiable means of verification
BSI may request proof of planned exercises

ISO 27001:2022

Control A.5.24: Planning and preparation for information security incident management
Control A.5.25: Assessment and decision on information security events
Control A.5.26: Response to information security incidents

Certification auditors expect:

A documented IR plan
Evidence that the plan has been practiced
After-action reports from previous exercises
Continuous improvement (action plans implemented)

Recommendation:

Include tabletop exercises in the ISMS calendar
Conduct at least one TTX annually; file the minutes in the ISMS
Incorporate findings into the risk assessment