Use: complete after each IR or DR/BCP tabletop (at least annually each). Owner: CISO (IR) / CTO (DR). File in the SharePoint evidence library. Frameworks: SOC 2 IRO-1 (IR plan tested), BCD-2 (DR plan tested); supports CC7.4/CC9.1. Vanta slots: incident-response-plan-test, disaster-recovery-tabletop.
Fill after the exercise — do not pre-date. Replace every variable.

Exercise

  • Type: {{exercise_type}}
  • Date: {{exercise_date}} · Facilitator: {{facilitator_name}} · Participants: {{participants}}
  • Scenario: {{scenario}}
  • Plan(s) exercised: {{plans_exercised}}

Walkthrough

PhaseExpected action (per plan)What happened in the exerciseGap?
Detection / declaration{{detection_expected}}{{detection_actual}}{{detection_gap}}
Triage / severity{{triage_expected}}{{triage_actual}}{{triage_gap}}
Containment / response (or failover){{containment_expected}}{{containment_actual}}{{containment_gap}}
Communication (internal/external){{communication_expected}}{{communication_actual}}{{communication_gap}}
Recovery / restoration{{recovery_expected}}{{recovery_actual}}{{recovery_gap}}
Post-incident / review{{postincident_expected}}{{postincident_actual}}{{postincident_gap}}

Findings & metrics

  • RTO/RPO observed (DR exercises): {{rto_rpo_observed}} vs target {{rto_rpo_target}}
  • Gaps / weaknesses identified: {{gaps_identified}}
  • What worked well: {{what_worked_well}}

Corrective actions

ActionOwnerDueTracked in
{{action}}{{action_owner}}{{action_due}}Corrective Action

Sign-off

  • Facilitator: {{facilitator_name}} · {{facilitator_date}} · CISO/CTO: {{approver_name}} · {{approver_date}}

Variables

VariableDescription
{{exercise_type}}Exercise type (Incident Response / Disaster Recovery / Business Continuity)
{{exercise_date}}Date the exercise was conducted
{{facilitator_name}}Name of the facilitator
{{participants}}Participant names/roles
{{scenario}}The simulated incident/outage
{{plans_exercised}}Plan(s) exercised (e.g., Incident Response Policy / Business Continuity Policy / DR runbook)
{{detection_expected}}Detection / declaration — expected action per plan
{{detection_actual}}Detection / declaration — what happened in the exercise
{{detection_gap}}Detection / declaration — gap?
{{triage_expected}}Triage / severity — expected action per plan
{{triage_actual}}Triage / severity — what happened in the exercise
{{triage_gap}}Triage / severity — gap?
{{containment_expected}}Containment / response (or failover) — expected action per plan
{{containment_actual}}Containment / response (or failover) — what happened in the exercise
{{containment_gap}}Containment / response (or failover) — gap?
{{communication_expected}}Communication (internal/external) — expected action per plan
{{communication_actual}}Communication (internal/external) — what happened in the exercise
{{communication_gap}}Communication (internal/external) — gap?
{{recovery_expected}}Recovery / restoration — expected action per plan
{{recovery_actual}}Recovery / restoration — what happened in the exercise
{{recovery_gap}}Recovery / restoration — gap?
{{postincident_expected}}Post-incident / review — expected action per plan
{{postincident_actual}}Post-incident / review — what happened in the exercise
{{postincident_gap}}Post-incident / review — gap?
{{rto_rpo_observed}}RTO/RPO observed (DR exercises)
{{rto_rpo_target}}RTO/RPO target
{{gaps_identified}}Gaps / weaknesses identified
{{what_worked_well}}What worked well
{{action}}Corrective action
{{action_owner}}Action owner
{{action_due}}Action due date
{{facilitator_date}}Date the facilitator signed off
{{approver_name}}Name of the CISO/CTO signing off
{{approver_date}}Date of the CISO/CTO sign-off

Cross-references