Security Intelligence

Security Crisis Exercises and Tabletop Simulations | CloseProtectionHire

Q: "What types of crisis exercises are available and how do they differ?"

"Business Continuity Institute (BCI) Good Practice Guidelines 2024, Chapter 7, identifies five exercise types in ascending order of complexity: discussion-based exercises (workshops and orientations -- familiarise participants with plans without enacting them); tabletop exercises (scenario-based discussions in a meeting room format, no physical activation of resources); functional exercises (test specific functions -- communications, IT recovery, command and control -- with a simulated scenario driving real actions from participants); full-scale exercises (simulate an actual incident as realistically as possible, activating physical resources and response teams in the field); and live exercises (similar to full-scale but with external agency involvement -- police, fire, ambulance). ISO 22301:2019 (Business Continuity Management Systems), Clause 8.5, requires organisations to conduct exercises and tests to determine whether the BCMS meets its objectives, and to identify areas for improvement. NCSC Exercise in a Box (launched 2018, refreshed 2024) provides a free online tool for small and medium enterprises to run structured tabletop exercises focused on cyber incident response. For security-specific exercises, the CPNI Crisis Exercise Guidance 2024 provides a framework for testing corporate security plans including kidnap, terrorism, physical intrusion, and significant data loss scenarios."

Q: "How often should organisations run security crisis exercises?"

"ISO 22301:2019 requires exercises to be planned and performed at planned intervals and triggered by significant changes to the organisation or its context. The BCI Good Practice Guidelines 2024 recommend at minimum: one tabletop exercise per year for all plan owners; one functional exercise per year covering at least one critical function; and a full-scale exercise covering all critical functions every two to three years. For organisations with elevated threat profiles -- those operating in P1 cities, with kidnap exposure, or with critical infrastructure responsibilities -- Control Risks 2025 recommends quarterly tabletop exercises and at minimum one full-scale exercise per year. The CPNI Crisis Exercise Guidance 2024 emphasises that frequency should be driven by plan changes, staff turnover, and incident experience rather than a fixed calendar. A plan that is exercised but never updated after the exercise findings is worse than no exercise at all -- the exercise creates false confidence."

Q: "What should a kidnap and ransom tabletop exercise include?"

"A K\u0026R tabletop exercise should test five components: initial notification (how does the company learn of the incident? who is notified first? what is the immediate holding procedure?), crisis team activation (who is on the crisis management team? who has the authority to engage the K\u0026R insurer and crisis consultancy? is the K\u0026R policy document accessible to the person who needs to activate it?), family communication (is there a designated family liaison who is not also the media spokesperson? has the family been briefed on media silence protocol? does the family have an independent support contact?), media management (what is the holding statement? who is the single authorised spokesperson? what is the social media monitoring and takedown procedure?), and resolution (what is the handover protocol when the incident ends? who authorises a ransom payment decision? what is the post-incident psychological support plan?). Kroll Crisis Management 2024 notes that most failures in real K\u0026R incidents occurred because the crisis team had never practised the first notification phase -- the moment of genuine confusion when information is scarce and decisions must be made quickly. Control Risks K\u0026R Tabletop Exercise Framework 2025 recommends running this component as a standalone 90-minute exercise before attempting a full-scenario tabletop."

Q: "How should exercise results be documented and used?"

"ISO 22301:2019 Clause 9.1 requires organisations to evaluate the performance of the BCMS by maintaining documented information on exercise results. The BCI Good Practice Guidelines 2024 recommend a structured post-exercise report containing: a summary of the exercise objectives and whether they were met; a gap analysis comparing actual team performance against the plan; a list of specific improvement actions with named owners and deadlines; and a record of what worked well. The improvement actions must be tracked to completion, not simply listed. A common failure pattern identified by Control Risks 2025 is the completion of a thorough exercise followed by a gap report that is never actioned -- usually because the exercise was conducted by an external consultancy and the internal team did not own the improvement process. The most effective format is a 30-day action log with named individuals responsible for each item, reviewed at the next management team meeting. NCSC Exercise in a Box includes a lessons-learned template designed for small organisations that have no dedicated business continuity function."

Q: "What are the specific benefits of crisis exercises for executives and senior leadership teams?"

"The primary benefit is decision-making capability under pressure. Kroll Crisis Management 2024 notes that executives who have not exercised their crisis response typically make three predictable errors in real incidents: they over-communicate with affected family members (which compromises an active K\u0026R response), they engage with media without a coordinated holding statement (which creates contradictory narratives), and they make premature decisions on the basis of incomplete initial information. A tabletop exercise that deliberately withholds information in the opening phase and forces the team to manage uncertainty is the single most effective preparation for real incident management. A secondary benefit is identifying gaps in the crisis management plan that are only visible when humans actually try to execute it -- policy documents that reference systems or contacts that no longer exist, decision-rights that are unclear or vest authority in people who are not available 24-7, notification trees that have not been updated after staff changes. The exercise forces the plan to be tested by the people who will actually use it, not the people who wrote it."

How to design and run security crisis exercises, tabletop simulations, and full-scale drills. Covers NCSC Exercise in a Box, ISO 22301, BCI guidelines, and K&R family exercises.

12 May 2026

Written by James Whitfield, Senior Security Consultant

Speak to the Team

A crisis plan that has never been tested is not a plan. It is a document of intentions. The difference between a document and a response capability is an exercised team that has been through the scenario before – not in an actual incident, but in a controlled environment where the mistakes can be identified and corrected without consequence.

Most corporate security plans do not meet this standard. ISO 22301:2019 requires exercises at planned intervals. In practice, many organisations complete their first exercise when an incident has already happened, or when their insurer requires evidence of exercising as a condition of a policy renewal.

The ISO 22301 Exercising Requirement

ISO 22301:2019 (Business Continuity Management Systems), Clause 8.5, requires organisations to plan and perform exercises to confirm that business continuity procedures are effective and consistent with the business continuity objectives. The exercises must be scheduled at planned intervals and must be triggered additionally by significant organisational changes.

Clause 9.1 requires documented information on the results of those exercises. Clause 10.2 requires nonconformities identified through exercising to be subject to corrective action. The standard does not prescribe the frequency or format of exercises – this is intentional, because the appropriate exercise programme depends on the complexity of the organisation and the severity of the risks it faces.

The BCI Good Practice Guidelines 2024 (8th Edition), Chapter 7, provides a structured approach to exercise design that is aligned with ISO 22301. It defines five types: workshops and orientations (familiarisation, no activation); tabletop exercises (scenario discussion, no physical activation); functional exercises (specific function testing with real actions); full-scale exercises (full activation of resources); and live exercises (external agency involvement). Each type provides different value at different cost.

NCSC Exercise in a Box, launched in 2018 and refreshed in 2024, makes a practical tabletop exercise programme accessible to organisations that have no dedicated continuity function. The tool provides facilitator guides, participant materials, and structured scenario packs for cyber incident response. It does not cover physical security scenarios but is an appropriate model for organisations developing their first exercise programme.

Tabletop Exercises: Design Principles

A tabletop exercise seats the crisis management team around a table (or a virtual equivalent) and presents a scenario that unfolds through a series of injects. The facilitator introduces developments – a new piece of information, an escalation, a media contact, a new stakeholder – and the team responds by discussing what they would do.

The most common failure in tabletop design is building a scenario that is too comfortable. When participants know how the scenario will develop, they manage the scenario rather than managing the crisis. The exercise should create genuine uncertainty, withhold information that the team would not have in a real incident, and introduce injects that force decisions before the team has the information they want.

Control Risks 2025 identifies two design principles that most organisations fail to apply: first, the scenario should start before the crisis is confirmed – with ambiguous information, partial reporting, and the first notification coming from an unexpected source. Second, the scenario should include a media or reputational dimension that runs in parallel with the operational response, forcing the team to manage both simultaneously.

For organisations with K&R exposure – those with staff or principals in P1 cities – Kroll Crisis Management 2024 recommends running a dedicated K&R tabletop exercise as a standalone programme, not combined with a broader business continuity exercise. The K&R scenario requires a specific subset of the crisis team, involves different decision-rights (particularly around ransom payment authority), and has confidentiality requirements that make it unsuitable for a combined exercise with general business continuity participants.

K&R Exercise Structure

A K&R tabletop exercise has five mandatory components that must each be tested:

Notification and first response (0-30 minutes). How does the organisation learn that a principal has been taken? The answer is rarely a direct call from the kidnappers – it is more commonly a missed check-in, a report from a colleague, or a call from a local contact. The team must practise the first 30 minutes: confirming the information, activating the K&R insurer’s crisis consultancy, and establishing a command and communications structure before the media or the family are aware.

Crisis team activation. Who is on the team? Who is the decision-maker with authority to engage the response? Is the K&R policy document accessible to the correct person at 3am? Does everyone on the team know their role? Control Risks and Kroll consistently identify confusion about decision-rights as the most significant initial team dysfunction in real incidents.

Family communication. The family liaison function is distinct from the crisis management function and must be exercised separately. The family must be briefed on: media silence as a condition of effective response, the verified-caller protocol (accepting calls only on pre-agreed numbers from pre-identified consultancy contacts), and the prohibition on social media commentary during an active response. Kroll Crisis Management 2024 records multiple incidents where well-intentioned family social media activity – asking for prayers, sharing news – confirmed the principal’s value, attracted competing criminal groups, and compromised the response within hours.

Media management. The holding statement, the single authorised spokesperson, and the social media monitoring procedure must all be exercised. A real incident will generate media pressure within hours. The team that has never agreed a holding statement in a simulated environment will struggle to produce one under real time pressure.

Resolution and recovery. When an incident ends – however it ends – what is the handover protocol? Who briefs the family? Who manages the media? What is the psychological support plan for the principal, the family, and the crisis team members? ISO 22301:2019 and ASIS Business Continuity Management Standard 2023 both require post-incident learning to be captured and used to update the plan.

Full-Scale Exercises

A full-scale exercise activates physical resources and response teams rather than discussing decisions in a room. For organisations with residential security infrastructure, it might mean a simulated perimeter breach with a live alarm response. For organisations with medical evacuation plans, it might mean activating the MEDEVAC provider and confirming response times.

The CPNI Crisis Exercise Guidance 2024 recommends that full-scale exercises for organisations with physical security responsibilities include a live communications test, a command post activation, and a deliberate degraded-environment scenario – testing what happens when normal communications fail and the team must operate on backup systems.

The value of a full-scale exercise is not that it tests the plan – tabletops do that more efficiently. It is that it tests the human performance of the response team under realistic time pressure, with realistic information gaps, and with the physical systems that the plan relies on actually running.

The FEMA ICS system, developed for US emergency management, provides a scalable incident command framework that has been adapted by UK organisations for crisis management. Its core disciplines – establishing a unified command, dividing the response into functional sections, maintaining documentation of decisions – are applicable to corporate crisis exercises regardless of whether the scenario is terrorism, kidnap, or critical IT failure.

For organisations that do not yet have a crisis exercise programme, the appropriate starting point is a 90-minute tabletop with the crisis management team, focused on a single scenario relevant to the organisation’s actual risk profile. See the related article on corporate crisis management and security incidents for the broader framework, and personal emergency response planning for the individual equivalent.

James Whitfield is a Senior Security Consultant with 20 years of experience in executive protection, threat assessment, and corporate security across the UK and internationally.

Summary

Key takeaways

A plan that has never been exercised is not a plan -- it is a hypothesis

Crisis plans are written under assumptions about how people will behave and what resources will be available. Those assumptions are almost always partially wrong. The only way to find out where they are wrong is to run the plan through a simulated incident with the actual team that will respond. Discovery during an exercise is recoverable; discovery during a real incident is not.

The first 30 minutes of any crisis are the highest-risk period

Control Risks and Kroll both document that the worst decisions in real incidents are made in the first 30 minutes -- before the crisis management team is assembled, before the K&R consultancy is engaged, and before a coordinated position is agreed. A tabletop that exercises only the first 30 minutes -- the notification, the initial assessment, and the first holding statement -- delivers more value than a full-day exercise that glosses over the opening phase.

K&R exercises must involve the family liaison function, not just the corporate team

The family is the most significant uncontrolled variable in a kidnap response. A family that does not understand the media silence protocol or the verified-caller system can undermine an active response within hours of a real incident starting. The family should be briefed annually on the K&R protocol, and the family liaison role should be exercised separately from the corporate crisis team -- ideally as a dedicated 60-minute tabletop.

NCSC Exercise in a Box is free and suitable for organisations without a dedicated security function

NCSC Exercise in a Box, refreshed in 2024, provides a free online resource for organisations that do not have an internal business continuity function or the budget for external facilitation. The tool provides pre-built exercise scenarios, facilitator guides, and participant materials. It is not a substitute for a full-scale exercise but is considerably better than no exercise at all, and is an appropriate starting point for SMEs and organisations with limited security resources.

Exercise findings only have value if they are actioned within 30 days

The post-exercise gap report is the most frequently wasted product of a crisis exercise programme. Most organisations produce a comprehensive gap analysis and then file it. The BCI Good Practice Guidelines 2024 are explicit: improvement actions from exercises must have named owners and completion deadlines. Without both, the exercise result degrades to the same value as a theoretical planning document -- which is to say, not tested against reality.

FAQ

Frequently Asked Questions

Business Continuity Institute (BCI) Good Practice Guidelines 2024, Chapter 7, identifies five exercise types in ascending order of complexity: discussion-based exercises (workshops and orientations – familiarise participants with plans without enacting them); tabletop exercises (scenario-based discussions in a meeting room format, no physical activation of resources); functional exercises (test specific functions – communications, IT recovery, command and control – with a simulated scenario driving real actions from participants); full-scale exercises (simulate an actual incident as realistically as possible, activating physical resources and response teams in the field); and live exercises (similar to full-scale but with external agency involvement – police, fire, ambulance). ISO 22301:2019 (Business Continuity Management Systems), Clause 8.5, requires organisations to conduct exercises and tests to determine whether the BCMS meets its objectives, and to identify areas for improvement. NCSC Exercise in a Box (launched 2018, refreshed 2024) provides a free online tool for small and medium enterprises to run structured tabletop exercises focused on cyber incident response. For security-specific exercises, the CPNI Crisis Exercise Guidance 2024 provides a framework for testing corporate security plans including kidnap, terrorism, physical intrusion, and significant data loss scenarios.

ISO 22301:2019 requires exercises to be planned and performed at planned intervals and triggered by significant changes to the organisation or its context. The BCI Good Practice Guidelines 2024 recommend at minimum: one tabletop exercise per year for all plan owners; one functional exercise per year covering at least one critical function; and a full-scale exercise covering all critical functions every two to three years. For organisations with elevated threat profiles – those operating in P1 cities, with kidnap exposure, or with critical infrastructure responsibilities – Control Risks 2025 recommends quarterly tabletop exercises and at minimum one full-scale exercise per year. The CPNI Crisis Exercise Guidance 2024 emphasises that frequency should be driven by plan changes, staff turnover, and incident experience rather than a fixed calendar. A plan that is exercised but never updated after the exercise findings is worse than no exercise at all – the exercise creates false confidence.

A K&R tabletop exercise should test five components: initial notification (how does the company learn of the incident? who is notified first? what is the immediate holding procedure?), crisis team activation (who is on the crisis management team? who has the authority to engage the K&R insurer and crisis consultancy? is the K&R policy document accessible to the person who needs to activate it?), family communication (is there a designated family liaison who is not also the media spokesperson? has the family been briefed on media silence protocol? does the family have an independent support contact?), media management (what is the holding statement? who is the single authorised spokesperson? what is the social media monitoring and takedown procedure?), and resolution (what is the handover protocol when the incident ends? who authorises a ransom payment decision? what is the post-incident psychological support plan?). Kroll Crisis Management 2024 notes that most failures in real K&R incidents occurred because the crisis team had never practised the first notification phase – the moment of genuine confusion when information is scarce and decisions must be made quickly. Control Risks K&R Tabletop Exercise Framework 2025 recommends running this component as a standalone 90-minute exercise before attempting a full-scenario tabletop.

ISO 22301:2019 Clause 9.1 requires organisations to evaluate the performance of the BCMS by maintaining documented information on exercise results. The BCI Good Practice Guidelines 2024 recommend a structured post-exercise report containing: a summary of the exercise objectives and whether they were met; a gap analysis comparing actual team performance against the plan; a list of specific improvement actions with named owners and deadlines; and a record of what worked well. The improvement actions must be tracked to completion, not simply listed. A common failure pattern identified by Control Risks 2025 is the completion of a thorough exercise followed by a gap report that is never actioned – usually because the exercise was conducted by an external consultancy and the internal team did not own the improvement process. The most effective format is a 30-day action log with named individuals responsible for each item, reviewed at the next management team meeting. NCSC Exercise in a Box includes a lessons-learned template designed for small organisations that have no dedicated business continuity function.

The primary benefit is decision-making capability under pressure. Kroll Crisis Management 2024 notes that executives who have not exercised their crisis response typically make three predictable errors in real incidents: they over-communicate with affected family members (which compromises an active K&R response), they engage with media without a coordinated holding statement (which creates contradictory narratives), and they make premature decisions on the basis of incomplete initial information. A tabletop exercise that deliberately withholds information in the opening phase and forces the team to manage uncertainty is the single most effective preparation for real incident management. A secondary benefit is identifying gaps in the crisis management plan that are only visible when humans actually try to execute it – policy documents that reference systems or contacts that no longer exist, decision-rights that are unclear or vest authority in people who are not available 24-7, notification trees that have not been updated after staff changes. The exercise forces the plan to be tested by the people who will actually use it, not the people who wrote it.

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.