BLOG HOME > Data Breaches > How to Test Your Incident Response Plan

How to Test Your Incident Response Plan

*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide

You can’t afford to be unprepared for the aftermath of a data breach. It’s up to you to control the situation and protect your business. A critical component to protecting your business is to have an incident response plan and to test it regularly. 

Get Started with PCI Compliance

Start Here

To help staff, regularly test their reactions through real-life simulations such as tabletop exercises. Tabletop exercises allow employees to learn and practice their incident response roles when nothing is at stake, which can help you discover gaps in your incident response plan (e.g., communication issues).



In a discussion-based tabletop exercise, incident response team members discuss response roles in hypothetical situations. This tabletop exercise is a great starting point because it doesn’t require extensive preparation or resources, while it still tests your team’s response to real-life scenarios without risk to your organization.

However, this exercise can’t fully test your incident response plan or your team’s response roles.


In a simulation exercise, your team tests their incident responses through a live walk-through test that has been highly choreographed and planned. This exercise allows participants to experience how events actually happen, helping your team better understand their roles.

However, simulation exercises require a lot of time to plan and coordinate, while still not fully testing your team’s capabilities.


In parallel testing, your incident response team actually tests the incident response roles in a test environment. Parallel testing is the most realistic simulation and provides your team with the best feedback about their roles.

Parallel testing is more expensive and requires more time planning than other exercises because you need to simulate an actual production environment, with realistic systems and networks.

Get my free SecurityMetrics PCI Guide

Download Now


Before conducting a tabletop exercise, determine your organization’s needs by asking:

  • Has your incident response team received adequate training regarding their roles and responsibilities?
  • When did you last conduct a tabletop exercise?
  • Have there been recent organizational changes that might affect your incident response plan?
  • Has there been any recent guidance or legislation that might impact your response plan?

Next, design your tabletop exercise around an incident response plan topic or section that you want tested. Identify any desired learning objectives or outcomes. From there, create and coordinate with your tabletop exercise staff (e.g., facilitator, participants, and data collector) to schedule your tabletop exercise

When designing your tabletop exercise, prepare the following exercise information in advance:

  • A facilitator guide that documents your exercise’s purpose, scope, objective, and scenario, including a list of questions to address your exercise’s objectives.
  • A participant briefing that includes the exercise agenda and logistics information.
  • A participant guide that includes the same information as the facilitator guide, except it either doesn’t include any of the questions or includes a shorter list of questions designed to prepare participants.
  • An after-action report that documents the evaluations, observations, and lessons learned from your tabletop exercise staff.

After conducting a tabletop exercise, set up a debrief meeting to discuss response successes and weaknesses.

Your team’s input will help you know where and how to make necessary revisions to your incident response plan and training processes.

Join Thousands of Security Professionals and Subscribe