Use: complete after each IR or DR/BCP tabletop (at least annually each). Owner: CISO (IR) / CTO (DR). File in the SharePoint evidence library. Frameworks: SOC 2 IRO-1 (IR plan tested), BCD-2 (DR plan tested); supports CC7.4/CC9.1. Vanta slots: incident-response-plan-test, disaster-recovery-tabletop.
Fill after the exercise — do not pre-date. Replace every variable.
Exercise
- Type: {{exercise_type}}
- Date: {{exercise_date}} · Facilitator: {{facilitator_name}} · Participants: {{participants}}
- Scenario: {{scenario}}
- Plan(s) exercised: {{plans_exercised}}
Walkthrough
| Phase | Expected action (per plan) | What happened in the exercise | Gap? |
|---|
| Detection / declaration | {{detection_expected}} | {{detection_actual}} | {{detection_gap}} |
| Triage / severity | {{triage_expected}} | {{triage_actual}} | {{triage_gap}} |
| Containment / response (or failover) | {{containment_expected}} | {{containment_actual}} | {{containment_gap}} |
| Communication (internal/external) | {{communication_expected}} | {{communication_actual}} | {{communication_gap}} |
| Recovery / restoration | {{recovery_expected}} | {{recovery_actual}} | {{recovery_gap}} |
| Post-incident / review | {{postincident_expected}} | {{postincident_actual}} | {{postincident_gap}} |
Findings & metrics
- RTO/RPO observed (DR exercises): {{rto_rpo_observed}} vs target {{rto_rpo_target}}
- Gaps / weaknesses identified: {{gaps_identified}}
- What worked well: {{what_worked_well}}
Corrective actions
| Action | Owner | Due | Tracked in |
|---|
| {{action}} | {{action_owner}} | {{action_due}} | Corrective Action |
Sign-off
- Facilitator: {{facilitator_name}} · {{facilitator_date}} · CISO/CTO: {{approver_name}} · {{approver_date}}
Variables
| Variable | Description |
|---|
{{exercise_type}} | Exercise type (Incident Response / Disaster Recovery / Business Continuity) |
{{exercise_date}} | Date the exercise was conducted |
{{facilitator_name}} | Name of the facilitator |
{{participants}} | Participant names/roles |
{{scenario}} | The simulated incident/outage |
{{plans_exercised}} | Plan(s) exercised (e.g., Incident Response Policy / Business Continuity Policy / DR runbook) |
{{detection_expected}} | Detection / declaration — expected action per plan |
{{detection_actual}} | Detection / declaration — what happened in the exercise |
{{detection_gap}} | Detection / declaration — gap? |
{{triage_expected}} | Triage / severity — expected action per plan |
{{triage_actual}} | Triage / severity — what happened in the exercise |
{{triage_gap}} | Triage / severity — gap? |
{{containment_expected}} | Containment / response (or failover) — expected action per plan |
{{containment_actual}} | Containment / response (or failover) — what happened in the exercise |
{{containment_gap}} | Containment / response (or failover) — gap? |
{{communication_expected}} | Communication (internal/external) — expected action per plan |
{{communication_actual}} | Communication (internal/external) — what happened in the exercise |
{{communication_gap}} | Communication (internal/external) — gap? |
{{recovery_expected}} | Recovery / restoration — expected action per plan |
{{recovery_actual}} | Recovery / restoration — what happened in the exercise |
{{recovery_gap}} | Recovery / restoration — gap? |
{{postincident_expected}} | Post-incident / review — expected action per plan |
{{postincident_actual}} | Post-incident / review — what happened in the exercise |
{{postincident_gap}} | Post-incident / review — gap? |
{{rto_rpo_observed}} | RTO/RPO observed (DR exercises) |
{{rto_rpo_target}} | RTO/RPO target |
{{gaps_identified}} | Gaps / weaknesses identified |
{{what_worked_well}} | What worked well |
{{action}} | Corrective action |
{{action_owner}} | Action owner |
{{action_due}} | Action due date |
{{facilitator_date}} | Date the facilitator signed off |
{{approver_name}} | Name of the CISO/CTO signing off |
{{approver_date}} | Date of the CISO/CTO sign-off |
Cross-references