Most frameworks that require tabletop exercises — DORA, NIS2, ISO 27001 recommendations, NCSC guidance — specify periodic testing without defining a precise frequency. “At least annually” appears often. “Periodically” appears more often. And organisations are left to determine what testing frequency is appropriate for their risk profile and operational context.

There is no single right answer. But there are principles that should drive the frequency decision, and common patterns that distinguish mature exercise programmes from compliance-minimum approaches.

The Minimum: Annual Testing

Annual tabletop testing is the baseline that regulators and certification bodies typically expect to see evidenced. A well-designed annual exercise covering the organisation’s highest-priority threat scenario — for most organisations, ransomware or a significant data breach — satisfies the “periodic testing” requirement, demonstrates that incident response capabilities are being actively maintained, and provides a documented set of findings and remediation actions.

Annual testing is the right frequency for organisations that are establishing their exercise programme for the first time, have limited resources to invest in exercise preparation, or operate in sectors where regulatory requirements specify annual testing as the standard.

Its limitation is that it tests once per year what should be a continuously improving capability. Findings from an annual exercise that take six months to remediate leave the organisation with a six-month window of known weakness. And if the annual exercise tests the same scenario each year, it validates the same set of capabilities without testing the adjacent areas that a real incident might demand.

A More Mature Programme: Scenario Rotation and Audience Segmentation

Organisations with more mature exercise programmes rotate scenarios across multiple exercises per year and segment their audience to address different aspects of incident response capability.

Scenario rotation means covering different threat types across the exercise calendar — a ransomware scenario, a data breach scenario, a third-party supply chain incident, a DDoS scenario, an insider threat scenario. Each scenario tests different aspects of the response capability and reveals different gaps. An organisation that runs only ransomware tabletops has not tested its response to the data breach scenarios that might trigger GDPR notification obligations, or the supply chain incidents that are increasingly common in regulated sectors.

Audience segmentation means running exercises at different levels of the organisation. An executive-level exercise tests decision-making and communication. A technical exercise tests the IR team’s detection, containment, and recovery capabilities in depth. A cross-functional exercise tests the coordination between technical and business teams. A board exercise specifically tests governance oversight and strategic decision-making. Each level reveals different gaps; testing only one level leaves the others untested.

The Regulatory Trigger: Test After Significant Events

Beyond scheduled exercises, significant events should trigger unscheduled exercises. A significant security incident — even one that was managed successfully — is an opportunity to run a post-incident tabletop that tests whether the response was optimal and what the organisation would do differently. A material change in the threat landscape, a significant change in the technology environment, or a major organisational change are all triggers for an unscheduled exercise that validates continued readiness under changed conditions.

At Bitsecura, we help organisations design exercise programmes — not just individual exercises. We develop multi-year exercise calendars with scenario rotation, audience segmentation, and integration with regulatory testing requirements, building the continuous improvement cycle that genuine incident readiness requires. Talk to us here if you want to build a programme rather than schedule a one-off exercise.


Bitsecura provides cybersecurity tabletop exercise design and facilitation services. Learn more about our tabletop exercise services.