Back to articles
Incident Response

Incident Response Plan Testing: A Practical Guide

An untested incident response plan is just a document. Regular testing reveals gaps, builds muscle memory, and ensures your team can respond effectively when a real incident occurs.

10 October 20249 min read
Incident Response Plan Testing: A Practical Guide

Most frameworks (PCI DSS, ISO 27001, DORA) require annual incident response testing. But compliance aside, testing is essential for operational readiness.

Types of Testing

Level 1: Plan Review

Document review to verify completeness and accuracy. Low effort, limited value.

Level 2: Tabletop Exercise

Discussion-based walkthrough of a scenario. Moderate effort, high value for identifying gaps.

Level 3: Functional Exercise

Simulated incident with actual system interaction. Higher effort, tests technical capabilities.

Level 4: Full-Scale Drill

Real-time simulation involving all stakeholders. Highest effort, most realistic assessment.

Tabletop Exercises

Tabletop exercises are the most practical starting point. They're low-cost, low-risk, and highly effective at identifying gaps.

Planning the Exercise

  • Define objectives: What do you want to test or learn?
  • Select participants: Include all relevant stakeholders
  • Develop scenario: Realistic, relevant to your organisation
  • Prepare injects: Information revealed as the scenario progresses
  • Assign facilitator: Someone to guide discussion and track time

Sample Ransomware Scenario

  • Phase 1 - Detection (15 mins): IT helpdesk receives reports of encrypted files. How do you confirm this is ransomware? Who do you notify?
  • Phase 2 - Containment (20 mins): Ransomware is spreading. What containment actions do you take? How do you balance containment with business continuity?
  • Phase 3 - Communication (15 mins): Media are calling. Customers are asking questions. Regulators need notification. How do you manage communications?
  • Phase 4 - Recovery (20 mins): Threat is contained. How do you prioritise recovery? What's your position on ransom payment?

Facilitation Tips

  • Keep discussion focused but allow exploration of issues
  • Encourage participation from quieter attendees
  • Note disagreements and gaps for follow-up
  • Avoid "solving" the scenario—focus on process
  • Time-box each phase to maintain momentum

Functional Exercises

Functional exercises involve actual system interaction without impacting production:

  • Test backup restoration procedures
  • Verify communication channels work
  • Practice forensic evidence collection
  • Test failover and recovery procedures
  • Validate vendor contact information

When did you last actually restore from backup? Many organisations discover their backups are incomplete or corrupted only during a real incident.

What to Test

Technical Capabilities

  • Detection and alerting mechanisms
  • Isolation and containment procedures
  • Forensic collection capabilities
  • Backup and recovery processes
  • Alternative communication channels

Process and Coordination

  • Escalation procedures and thresholds
  • Decision-making authority
  • Cross-team coordination
  • External communication protocols
  • Regulatory notification procedures

Common Gaps Discovered

Testing consistently reveals these issues:

  • Contact information: Out-of-date phone numbers and email addresses
  • Authority: Unclear who can make critical decisions
  • Dependencies: Unknown reliance on specific individuals or systems
  • Communication: No backup if primary channels are compromised
  • Third parties: Vendor response times and capabilities unknown
  • Documentation: Procedures that don't match current systems

After the Exercise

Debrief Structure

  • What worked well? Identify strengths to maintain
  • What didn't work? Gaps and failures to address
  • What was confusing? Areas needing clarification
  • What was missing? Resources or capabilities needed

Action Items

Every exercise should produce:

  • Prioritised list of improvements
  • Owners and deadlines for each action
  • Updates to the incident response plan
  • Training needs identified
  • Date for next exercise

Testing Frequency

  • Tabletop exercises: Quarterly, rotating scenarios
  • Functional tests: Semi-annually for critical procedures
  • Full-scale drills: Annually
  • Plan reviews: After any significant change

Conclusion

Incident response testing isn't about passing or failing—it's about learning and improving. Every exercise reveals something valuable, whether it's a gap in your plan, a training need, or a process that works better than expected.

Start with tabletop exercises if you haven't tested recently. They're low-effort, high-value, and build the foundation for more complex testing. The goal is continuous improvement, not perfection.

Share this article