Tabletop Exercises • Incident Response • Executives • IT • Legal • Communications
Checklist: Tabletop Exercise Questions for Executives, IT, Legal, and Communications
A tabletop exercise should not be a meeting where everyone says, “We would follow the incident response plan.” It should test real decisions, roles, evidence, recovery, legal duties, and communication under pressure.
Quick Snapshot
| Tabletop Role | What the Exercise Should Test |
|---|---|
| Executives | Business impact, risk decisions, customer trust, funding, and escalation. |
| IT / Security | Detection, containment, recovery, logs, backups, and technical evidence. |
| Legal | Notification duties, privilege, contracts, regulators, and insurance requirements. |
| Communications | Internal updates, customer messaging, media response, timing, and approvals. |
| Outcome | A tested incident response process with clear gaps, owners, and corrective actions. |
Introduction
A cyber incident does not wait for the perfect meeting invite.
It starts messy.
An alert fires. A user reports suspicious activity. A vendor sends a breach notice. A system goes offline. A customer asks if their data is safe. An executive wants an update. Legal asks what is confirmed. Communications wants approved wording. IT is still investigating.
This is why tabletop exercises matter.
A good tabletop asks hard questions:
- Who decides?
- Who leads?
- Who communicates?
- What evidence must be preserved?
- When do we notify customers?
- When do we call legal, insurance, or law enforcement?
- What happens if our first assumption is wrong?
Need a Cyber Incident Tabletop?
Canadian Cyber helps organizations run executive-ready tabletop exercises for ransomware, data breaches, vendor incidents, cloud compromise, insider risk, AI data exposure, and business email compromise.
Why Tabletop Exercises Fail
Many tabletop exercises fail because they are too polite.
Everyone nods. Nobody challenges assumptions. The scenario is too easy. Executives are not forced to make decisions. Legal is not asked about notification timing. Communications is not asked to write a holding statement. IT is not asked what logs exist. Backups are assumed.
That creates false confidence.
| Area | What to Test |
|---|---|
| Roles | Who leads the response? |
| Escalation | Who needs to know and when? |
| Evidence | What logs, alerts, emails, and files must be preserved? |
| Technical Response | Can IT contain and recover? |
| Legal Decisions | Are notification and privilege issues understood? |
| Communications | Can the company communicate without overpromising? |
| Corrective Actions | Are lessons learned tracked to closure? |
Practical rule: A tabletop is only useful if it creates action items. No findings usually means the scenario was too easy.
Question Set 1: Executive Leadership
Executives do not need every technical detail. They do need to make business decisions under pressure.
| Executive Question | What It Tests |
|---|---|
| Who is the executive incident sponsor? | Decision ownership. |
| At what point does this become a crisis event? | Escalation threshold. |
| What business services are most critical? | Business impact awareness. |
| Who approves customer notification? | Governance. |
| Who approves cyber insurance notification? | Insurance process. |
| Who can authorize emergency spending? | Resource readiness. |
Follow-up questions:
- Can leadership make decisions if the CEO is unavailable?
- Does leadership know where the incident response plan is?
- Do executives know the cyber insurance contact?
- Which customers require urgent notification?
- Who can approve taking systems offline?
Red flag: If every decision depends on one executive, your response plan has a single point of failure.
Question Set 2: IT and Security
IT and security teams handle detection, containment, investigation, and recovery. The tabletop should test whether they know what evidence exists and what actions to take first.
| IT / Security Question | What It Tests |
|---|---|
| What alert triggered the investigation? | Detection capability. |
| Which systems are affected? | Scope assessment. |
| Is the attack still active? | Containment urgency. |
| What logs do we have? | Evidence readiness. |
| Are backups safe? | Recovery confidence. |
| What actions might destroy evidence? | Forensic awareness. |
Follow-up questions:
- Can we disable accounts quickly?
- Can we revoke sessions?
- Can we isolate endpoints?
- Can we preserve cloud logs?
- Can we identify data accessed or exfiltrated?
- Can we rebuild from clean backups?
Good IT evidence: system inventory, log source inventory, admin access review, backup coverage report, restore test evidence, endpoint coverage report, cloud audit logs, network diagrams, and forensic preservation checklist.
Question Set 3: Legal
Legal should help protect privilege, assess notification duties, review contracts, and coordinate with external counsel when needed.
| Legal Question | What It Tests |
|---|---|
| When should legal be engaged? | Escalation timing. |
| Should external breach counsel be contacted? | Privilege and expertise. |
| What facts are confirmed? | Avoiding speculation. |
| Is personal data involved? | Privacy assessment. |
| Are notification deadlines triggered? | Timing control. |
| What communications need legal approval? | Message governance. |
Follow-up questions:
- Do we know which customers are affected?
- Do contracts require notice within a specific time?
- Does the incident involve regulated data?
- Should forensic work be directed through counsel?
- Who approves external statements?
Red flag: If legal is only brought in after customers are notified, the response process is backwards.
Question Set 4: Communications
Communications can protect trust or damage it. Messages must be accurate, calm, approved, and timed correctly.
| Communications Question | What It Tests |
|---|---|
| Who owns internal updates? | Staff communication. |
| Who owns customer messaging? | External communication. |
| Who approves statements? | Governance. |
| What can we say before facts are confirmed? | Message discipline. |
| What if the incident appears on social media? | Public response. |
| What if we do not know the answer yet? | Trust management. |
Follow-up questions:
- Do we have a holding statement?
- Can support access approved wording quickly?
- Who monitors social media and customer channels?
- Do we know which customers need direct outreach?
- How do we avoid saying “no data was affected” too early?
Good communications evidence: holding statement, customer notification template, internal staff message, approved FAQ, status page procedure, media response process, communication approval log, and customer contact list.
Need Help Testing Your Incident Response Plan?
Canadian Cyber can facilitate the exercise, challenge assumptions, document decisions, and turn findings into a practical corrective action plan.
Five Practical Tabletop Scenarios
Use scenarios that create pressure. The goal is not to trick the team. The goal is to test decision-making before a real incident does.
| Scenario | What It Tests |
|---|---|
| Ransomware | Backup readiness, executive decisions, legal escalation, and customer communication. |
| Business Email Compromise | Identity controls, finance process, email logs, and vendor communication. |
| Vendor Breach | Supplier risk, contract obligations, impact assessment, and customer notification. |
| Cloud Admin Compromise | Privileged access, cloud logging, containment, and data exposure assessment. |
| AI Data Exposure | AI governance, customer data handling, privacy analysis, and staff training. |
Example: AI Data Exposure Scenario
Scenario prompt: An employee pasted customer support ticket details into an unapproved AI tool to summarize the issue. The ticket included customer names, contract details, and technical logs.
Pressure add-on: The customer asks whether their data is used for AI model training.
What it tests: AI governance, vendor review, data classification, privacy analysis, customer communication, and staff training.
Tabletop Questions by Incident Phase
A strong tabletop should follow the incident lifecycle.
| Phase | Questions to Ask |
|---|---|
| Detection | How was the issue detected? Who receives alerts? Who opens the incident record? |
| Triage | What facts are confirmed? What systems are affected? Is customer data involved? |
| Containment | Can accounts be disabled? Can sessions be revoked? What actions may destroy evidence? |
| Investigation | What logs are needed? Is data exfiltration suspected? Is external forensics needed? |
| Communication | Who approves customer messages? What can we say now? How often will we update? |
| Recovery | Are backups safe? What systems return first? Who approves return to service? |
| Lessons Learned | What failed? What worked? Who owns corrective actions? When will actions be verified? |
Evidence to Capture During the Tabletop
A tabletop should create audit-ready evidence for ISO 27001, SOC 2, cyber insurance, customer reviews, and board reporting.
| Evidence | Why It Matters |
|---|---|
| Scenario | Shows what was tested. |
| Agenda | Shows exercise structure. |
| Participant List | Shows who attended. |
| Decisions Made | Shows governance. |
| Gaps Found | Shows honest evaluation. |
| Corrective Actions | Shows improvement. |
| Final Report | Supports audits and management review. |
Evidence Naming Examples
- IncidentResponse-RansomwareTabletop-2026-Q2.docx
- IncidentResponse-TabletopAttendance-2026-Q2.pdf
- IncidentResponse-TabletopCorrectiveActions-2026-Q2.xlsx
- IncidentResponse-ExecutiveDecisionLog-2026-Q2.pdf
Create a Tabletop Evidence Pack
Canadian Cyber can help facilitate tabletop exercises and produce evidence packs for ISO 27001, SOC 2, cyber insurance, and board reporting.
Common Mistakes to Avoid
- Only inviting IT. Cyber incidents affect the whole business.
- Making the scenario too easy. Add uncertainty, missing facts, customer questions, and conflicting priorities.
- Skipping legal. Legal should help with notification, contracts, privilege, insurance, and regulatory questions.
- Letting communications improvise. Messages should be approved, accurate, and controlled.
- Not testing backups. If ransomware is part of the scenario, backup and restore questions must be included.
- Ending without corrective actions. A tabletop with no action items is just a conversation.
- Not saving evidence. Tabletop records help with ISO 27001, SOC 2, cyber insurance, and customer reviews.
What Good Looks Like
A strong tabletop exercise shows:
- clear roles
- fast escalation
- calm executive decisions
- technical containment steps
- legal involvement
- controlled communications
- backup and recovery awareness
- evidence preservation
- customer impact analysis
- decision logging
- corrective actions
- owners and due dates
The goal is not to prove the company is perfect. The goal is to find gaps before a real incident does.
Canadian Cyber’s Take
At Canadian Cyber, we often see organizations with incident response plans that look good on paper but have never been tested.
That is risky.
A real incident is stressful. People forget roles. Teams make assumptions. Messages go out too early. Logs disappear. Backups are questioned. Customers ask for answers before the investigation is complete.
A tabletop exercise gives leaders and teams a safe place to practice. It also creates evidence that supports ISO 27001, SOC 2, cyber insurance, and customer trust.
The best tabletop exercises are practical, uncomfortable, and action-driven.
Takeaway
A tabletop exercise is not a checkbox. It is a rehearsal for pressure.
Ask hard questions:
- Can executives make decisions?
- Can IT contain and recover?
- Can legal assess notification duties?
- Can communications speak clearly without overpromising?
- Can the company preserve evidence?
- Can teams work together?
- Can lessons become corrective actions?
If the answer is unclear, run the exercise before the real incident happens.
How Canadian Cyber Can Help
Canadian Cyber helps organizations design and run practical tabletop exercises for executive teams, IT, legal, and communications.
- ransomware tabletop exercises
- business email compromise tabletop exercises
- vendor breach simulations
- cloud compromise tabletop exercises
- AI data exposure tabletop exercises
- executive incident response workshops
- incident response plan reviews
- cyber insurance readiness exercises
- SOC 2 incident response evidence
- ISO 27001 incident response evidence
- communication template development
- corrective action tracking
- vCISO-led crisis governance
Stay Connected With Canadian Cyber
Follow Canadian Cyber for practical guidance on tabletop exercises, incident response, SOC 2, ISO 27001, SharePoint ISMS, cyber insurance readiness, vCISO leadership, and evidence management.
