Every security team has had this conversation: “Do we actually need to run a tabletop exercise, or is this just a nice-to-have?” The answer depends on which frameworks you’re subject to — and the answer is usually yes, you need to, and probably more rigorously than you think.
The problem is that no two frameworks say it the same way. SOC 2 never uses the words “tabletop exercise.” PCI DSS gives you one sentence. HIPAA has been vague about it for twenty years and is only now making it mandatory. Some frameworks demand annual testing with specific documentation. Others imply it so strongly that skipping it is a gamble you’ll lose.
Here’s every major framework in one place — what it actually requires, how often, and what you need to show the auditor.
The compliance comparison table
This is the reference. Bookmark it.
| Framework | Requirement | What It Says | Frequency | Explicitly Requires TTX? |
|---|---|---|---|---|
| SOC 2 | CC7.3–CC7.5 | Evaluate effectiveness of incident response; execute response activities | Within observation window (annual for Type II) | No — but auditors expect testing evidence |
| PCI DSS 4.0 | 12.10.2 | ”Review and test the plan, including all elements listed in 12.10.1” | At least every 12 months | Yes — “test” is explicit |
| HIPAA | §164.308(a)(7)(ii)(D) | Testing and revision of contingency plans | Annual (mandatory under 2026 proposed rule) | Not yet — 2026 rule will make it explicit |
| ISO 27001 | A.5.24 / A.5.26 | Test incident management processes through drills and simulations | Defined by the organization (annual typical) | Yes — “drills and simulations” |
| NIST 800-53 | IR-3 | ”Test the incident response capability” | Per organization’s risk assessment | Yes |
| CMMC Level 2 | IR.L2-3.6.3 | Test the organizational incident response capability | At least annually | Yes |
| DORA | Articles 25–26 | Digital operational resilience testing, threat-led penetration testing | Annual for basic testing; every 3 years for TLPT | Yes — for significant financial entities |
| GDPR | Article 32(1)(d) | “Regularly testing, assessing and evaluating the effectiveness” of security measures | Not specified — “regularly” | Implied, not explicit |
| Cyber Insurance | Varies by carrier | Evidence of IR plan testing, scenario documentation, gap remediation | Typically annual, timed to renewal | Increasingly yes — as underwriting requirement |
The pattern is clear: every major framework is converging on “prove you tested your plan.” The ones that haven’t said it explicitly yet are heading there.
Frameworks that explicitly require testing
These don’t leave room for interpretation. If you’re subject to them, you need documented evidence of IR plan testing.
PCI DSS 4.0 — Requirement 12.10.2. One sentence: test the plan, at least annually, covering every element in 12.10.1. That means your exercise needs to touch roles and responsibilities, communication procedures, notification of payment brands and acquirers, containment and mitigation, and business continuity. A tabletop that only walks through “what would we do if we found malware” without hitting every element on that list will generate a finding. For the full breakdown of what QSAs evaluate, see our PCI DSS 12.10.2 guide.
NIST 800-53 IR-3. The control is direct: “Test the incident response capability for the system using defined tests to determine the effectiveness of the capability.” Federal agencies and defense contractors operating under NIST 800-53 don’t have ambiguity here. The testing has to be defined, documented, and produce findings that feed back into the plan.
CMMC Level 2 — IR.L2-3.6.3. Derived from NIST 800-171, this requires testing the incident response capability. With the CMMC Level 2 certification deadline set for November 2026, defense contractors who haven’t run a documented exercise are running out of runway.
DORA — Articles 25–26. The EU’s Digital Operational Resilience Act requires financial entities to perform digital operational resilience testing at least annually, with advanced threat-led penetration testing (TLPT) every three years for significant institutions. DORA has been enforceable since January 2025, and supervisory authorities are actively checking compliance. If you’re a bank, insurer, or fintech operating in the EU, this isn’t optional.
Frameworks that require it in practice
These standards don’t use the words “tabletop exercise” — but auditors treat IR plan testing as a baseline expectation. Skipping it is the kind of calculated risk that stops being calculated when the auditor writes it up.
SOC 2 — CC7.3, CC7.4, CC7.5. The Trust Services Criteria never say “tabletop.” What CC7.3 says is evaluate whether your response actually works. What CC7.4 says is execute your response activities. What CC7.5 says is restore to normal and learn from it. Auditors interpret this as: show me evidence you tested the plan.
An exercise report with participant names, scenario scope, decisions, and findings is what satisfies this. No exercise, no evidence, and from the auditor’s perspective, you didn’t do it. We wrote a complete guide to what SOC 2 auditors want from these criteria.
ISO 27001 — A.5.24 and A.5.26. The 2022 revision reorganized Annex A, and the testing requirement now lives under A.5.24 (incident management planning and preparation), which explicitly requires “drills and simulations.” If you’re still citing A.16.1.5 in your evidence, your auditor will notice the outdated control numbering.
The exercise also needs to connect to your risk assessment under Clause 6.1 — a generic scenario pulled off the internet doesn’t demonstrate anything about your specific risk posture. Our ISO 27001 A.5.24 and A.5.26 walkthrough covers the 2013-to-2022 mapping and what certification auditors check.
HIPAA — §164.308(a)(7)(ii)(D). For twenty years, HIPAA classified IR plan testing as “addressable” — which most organizations interpreted as “skippable.” The 2026 proposed rule eliminates the addressable/required distinction entirely. Annual testing becomes mandatory, with a 72-hour restoration requirement that covered entities must demonstrate, not just plan for. If your organization handles PHI and hasn’t tested the IR plan, the compliance window is closing. Here’s our breakdown of the 2026 HIPAA rule changes.
GDPR — Article 32(1)(d). “Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.” GDPR doesn’t specify how — but a tabletop exercise is one of the most defensible ways to demonstrate you’ve tested your incident response capability. Given that Article 33 requires breach notification within 72 hours, proving you’ve practiced that process is harder to argue against than for.
The one nobody thinks of: cyber insurance
Cyber insurance isn’t a compliance framework. But in 2026, it functions like one.
Carriers have learned from the ransomware wave. Organizations with untested IR plans file larger, slower, and more expensive claims. So underwriters started asking questions that sound a lot like an auditor: When did you last test your plan? What scenarios did you use? What gaps did you find? How did you fix them?
Roughly 41% of first-time SMB applicants get denied cyber coverage. An untested plan is one of the common red flags. An exercise that found issues and led to remediation — that’s the maturity signal carriers are looking for.
Some carriers now require an exercise report before they’ll quote. Others use it to adjust premiums. Either way, a documented tabletop exercise is becoming table stakes for coverage. We covered this in detail in Does Your Cyber Insurance Require a Tabletop Exercise?
What auditors actually evaluate — across all frameworks
The specific requirements differ, but auditors and assessors across every framework listed above are looking for the same core evidence. After sitting through enough audit cycles, the pattern is obvious:
A dated report. When did the exercise happen? If the date is outside the assessment window, it doesn’t count. Every single framework cares about recency.
Participant names and roles. Security running an exercise alone doesn’t demonstrate that legal knows the notification requirements or that comms has a statement ready. Auditors check for breadth — especially in frameworks like PCI DSS where specific cross-functional activities are enumerated.
Scenario scope and realism. Was the scenario relevant to your actual risk profile? A healthcare org running a generic “data breach” exercise instead of an EHR ransomware scenario raises questions. ISO 27001 auditors explicitly check whether the scenario connects to risks in your Clause 6.1 register.
Decisions made and gaps found. This is the part most exercises get wrong. An exercise where everyone agreed on everything and no issues surfaced looks like theater — because it probably was. Auditors expect findings. An exercise that identified gaps and produced a remediation plan demonstrates the exercise had real value.
Remediation tracking. Finding problems is half the credit. Fixing them — and being able to show you did — is the other half. The strongest evidence is a thread from exercise findings to remediation actions to completed fixes, all documented.
The team that produces this evidence package once and reuses the template across frameworks saves itself four separate documentation exercises. One well-structured tabletop can satisfy SOC 2, PCI DSS, HIPAA, and ISO 27001 simultaneously — if the scope is designed to cover each framework’s specifics.
Frequently asked questions
How often do compliance frameworks require tabletop exercises?
Most frameworks that specify a frequency require annual testing at minimum. PCI DSS 12.10.2 and HIPAA (under the 2026 proposed rule) both mandate at least once every 12 months. SOC 2 Type II requires the exercise to fall within the observation window. DORA requires advanced testing based on risk, typically annually for significant financial entities. Some organizations run quarterly exercises to cover multiple frameworks in a single cycle.
Do tabletop exercises satisfy compliance, or do you need a full-scale drill?
Tabletop exercises satisfy the IR plan testing requirement for every framework listed here. No major cybersecurity compliance framework requires a full-scale drill. PCI DSS, SOC 2, HIPAA, and ISO 27001 all accept discussion-based exercises as valid evidence — provided they test the right elements and produce proper documentation.
What documentation do auditors expect?
Across frameworks, auditors consistently look for: the date and duration of the exercise, participant names and roles, the scenario used and its scope, key decisions made during the exercise, gaps or weaknesses identified, and a remediation plan with owners and timelines. An exercise that found no issues is more suspicious than one that found several.
Can one tabletop exercise satisfy multiple compliance frameworks?
Yes. A well-designed exercise that tests your full IR plan, includes the right participants, and produces thorough documentation can satisfy SOC 2, PCI DSS, HIPAA, and ISO 27001 simultaneously. The key is mapping your exercise scope to each framework’s specific requirements beforehand and documenting which requirements each element of the exercise addresses.
The common thread
Every framework on this list is asking the same question in different language: did you test your plan, and can you prove it?
The ones that used to leave room for interpretation — HIPAA, GDPR — are closing those gaps. The ones that were always explicit — PCI DSS, NIST — are expanding what “test” means. And cyber insurance carriers are asking the same questions auditors do, just with different leverage.
Running exercises for compliance is fine. Running them because your team actually needs the practice — that’s the point. The compliance artifact is a byproduct of doing something genuinely useful.
Breachdeck generates the full evidence package — timestamped decisions, competency scores, gap identification, remediation tracking — as a byproduct of running a realistic exercise. One scenario, one PDF, mapped to whichever frameworks you need. Run the demo — pick a scenario and see the report it produces.
