Crisis exercises
Having a continuity plan and a recovery plan is great, but on the day of the incident only one thing counts: that they work and that your team knows how to execute them. Crisis exercises check that while nothing is yet at stake: we sit the crisis committee in front of a realistic scenario, put the technical recovery to the test and observe what is decided, what fails and what is missing. You come out with the gaps detected calmly, the team trained and a report with evidence for the audit.
Crisis exercises and tabletop drills, across Spain.
Why
You do not know whether your plan works until you use it. Better to discover the gaps in a rehearsal than in the middle of a crisis.
A plan that has never been executed is an assumption. The rehearsal is the only way to know whether it holds up.
Training the team prevents the freeze and the bad decisions when the incident is real and the clock is ticking.
The exercise brings the holes in the plan to light without the cost, the rush or the damage of a real incident.
Article 21 of NIS2 and article 11 of DORA ask you to prove that the plan works and that management masters crisis handling.
What it includes
A crisis exercise designed around your real risks, not a textbook drill to tick the box.
The crisis committee decides in front of a scenario, without touching systems. It puts management to the test at the strategic and tactical level.
Real recovery tests: we restore, perform failover and measure the times against the RTO.
Designed around your real risks (ransomware, data breach, provider down), not a generic script.
Who decides, who escalates and who coordinates when things get serious and time is short.
What is said, to whom and when: customers, employees, authorities and media, with a clear spokesperson.
Findings, prioritized improvements and valid evidence for NIS2, DORA and ISO 22301.
The approach
A good exercise is not the one that goes perfectly, it is the one that brings to light what does not work.
A phone number nobody has to hand, a backup that was not there, a decision nobody knew who owned. Those gaps are far better found in a meeting room than in the middle of a crisis, with customers waiting and the clock against you.
That is why we do not stage a show to tick the box. We design an uncomfortable, realistic scenario, with no known script, and observe how your team responds. The outcome is not a pass: it is a list of gaps and lessons learned to fix before they matter.
The difference
A known script, everyone warned and a happy ending. It reassures the auditor, but it trains nobody and finds nothing.
A realistic scenario that makes things uncomfortable, with no known script, where the gaps come to light and get corrected in time.
When
An untested continuity plan or recovery plan, you do not know if it holds up on the real day.
The law requires regular tests and proof that your management knows how to handle a crisis.
New systems, new teams or new providers: time to test again that the plan still holds.
So the management committee knows what to decide and how to coordinate the day everything burns, without improvising.
How we work
An orderly method so the exercise really trains and leaves concrete things to fix.
The tailored scenario around your real risks and the plans you want to put to the test.
The exercise, tabletop or technical drill, with the real roles and with no known script.
We note decisions, times, doubts and gaps while the team responds, without interrupting.
Findings, prioritized improvements and the evidence that an audit asks for.
Fits with
An exercise does not go it alone: it tests and keeps in shape the continuity plan and the disaster recovery, and trains those who will later have to lead the incident response.
Each exercise feeds continuous improvement and leaves the evidence that ISO 22301 certification asks for. You have the full continuity and cyber resilience area.
Questions
It is a tabletop exercise in which the crisis committee works through how it would respond to a scenario, without touching the systems. It focuses on decisions, coordination and communication under pressure, not on the technical side.
The tabletop tests the management and the decisions of the crisis committee. The technical drill tests the real recovery of systems and data: it restores, performs failover and measures the times. The ideal is to combine both.
Regularly and whenever your systems, your team or your risks change. A plan is tested to keep it alive, not just once: what worked last year may have become obsolete.
Yes. Article 21 of NIS2 and article 11 of DORA do not only ask you to have plans, they ask you to prove that they work and to demonstrate that management knows how to handle a crisis. The exercise report leaves that evidence, aligned with ISO 22301.
The ideal is to test a plan that already exists. But an exercise is also useful to discover that you need one and where to start: it reveals the gaps and the order in which it is best to resolve them.
The tabletop does not touch the systems, so it does not affect operations. The technical drill is planned carefully so as not to impact production, choosing the timing and the scope with you.
When did you last test that your plan works?
If the answer is never, that is the reason. Let us design an exercise around the scenario that worries you most.
Get in touch