Assurance Bureau delivers independent, facilitated tabletop exercises that put your incident response, business continuity, and disaster recovery plans to the test before a real event does. A plan that has never been exercised is an assumption. A tabletop turns that assumption into evidence, surfacing the gaps in your decision-making, communications, and recovery steps while the stakes are still hypothetical.

Whether the driver is an ISO 27001 or ISO 22301 requirement, a SOCI Act obligation, an APRA expectation, a cyber insurance condition, or board-level assurance, our exercises give your team a realistic rehearsal and a clear, evidence-based picture of how your plans hold up under pressure.

Assurance Bureau is led by a Principal Consultant who is an ASD-endorsed IRAP Assessor and holds an active Australian Government NV1 security clearance. That same control assessment discipline shapes how we design and run an exercise. We are not there to put on a show. We are there to find what breaks.

What is a tabletop exercise?

A tabletop is a structured, discussion-based exercise. Your team works through a realistic scenario step by step, talking through the decisions they would make, the actions they would take, and the people they would contact. There is no live system impact and no production risk. The value is in the conversation and the gaps it exposes.

We run three related exercise types, separately or combined:

• Incident response. A simulated cyber incident such as ransomware, a data breach, or a compromised account. We test detection, triage, containment, escalation, and notification.

• Business continuity. A disruption to your critical business functions. We test how you keep operating, who makes the call, and how your continuity arrangements actually perform.

• Disaster recovery. A loss of key systems or infrastructure. We test your recovery sequence, your recovery time and recovery point objectives, and whether your restore steps are real or theoretical.

A scenario can stay within one of these or cross all three, because a serious incident rarely stays in its lane.

Why organisations need tabletop exercises

• ISO 27001 and ISO 22301. ISO 27001 expects incident response and ICT readiness for business continuity to be planned, prepared, and tested, not just documented. ISO 22301 requires business continuity arrangements to be exercised and evaluated. An auditor will ask for evidence that you have actually tested your plans, and a facilitated tabletop with a written after-action report is exactly that evidence.

• Critical infrastructure (SOCI). Responsible entities for critical infrastructure assets must maintain a Risk Management Program, and testing response and continuity arrangements is part of demonstrating that the program is real and effective.

• APRA-regulated entities. CPS 230 and CPS 234 set clear expectations that response and recovery plans are tested regularly and that lessons are fed back into the plans. Tabletops are a recognised way to meet that expectation.

• Cyber insurance. Insurers increasingly want to see a tested incident response capability before they write or renew a policy. A documented exercise programme strengthens your position at renewal.

• Government and Defence. Entities working under the PSPF, DISP, or ISM-aligned obligations are expected to have incident response arrangements that are exercised, not shelved.

• Board and executive assurance. Boards are accountable for cyber and operational resilience. A tabletop run with the leadership team gives the board direct, first-hand confidence that the organisation can respond, rather than a paper assurance.

What we cover

• Roles, responsibilities, and decision authority. Who leads, who decides, and what happens when a key person is unavailable

• Detection, triage, and escalation. Whether your team recognises the situation and moves it to the right people at the right time

• Internal and external communications. Staff, customers, partners, regulators, and the public, including the timing and content of mandatory notifications

• Technical response and recovery. Containment, restoration sequence, recovery time and recovery point objectives, and whether restore steps are tested or assumed

• Plan accuracy. Where your documented plans match reality, and where they have drifted or were never workable

• Improvement actions. A prioritised set of findings your team can actually act on

How an engagement works

1. Scope. We agree the exercise type or combination, the participants, the objectives, and the level of challenge. We tailor the scenario to your sector, your systems, and the threats that are realistic for you.

2. Design. We build a scenario with staged injects that escalate through the exercise. The scenario is realistic and relevant, not a generic template, and the detail is kept confidential to you.

3. Facilitate. We run the exercise as an independent facilitator, drawing the team through the scenario, applying pressure where it matters, and capturing decisions, gaps, and assumptions as they surface.

4. Report. You receive a clear after-action report stating what went well, what broke, and a prioritised set of improvement actions mapped back to your plans and any relevant obligations.

5. Support uplift. We remain available to clarify findings and help fold the lessons back into your plans, so the report drives improvement rather than sitting on a shelf.

Important to understand

A tabletop is a structured rehearsal, not a guarantee. It tests your plans and your people against a realistic scenario at a point in time. The value comes from acting on what it exposes and from exercising regularly as your systems, people, and threats change. We design every exercise to find genuine gaps rather than to deliver a comfortable pass, because a tabletop that everyone sails through has not done its job.

Why Assurance Bureau

• Led by an ASD-endorsed IRAP Assessor with an active Australian Government NV1 security clearance, bringing real control assessment rigour to scenario design and findings

• Cross-framework experience across ISO 27001, ISO 22301-aligned continuity, the ISM, and the Essential Eight, so exercises connect to the obligations that actually apply to you

• Independent and vendor neutral. We are not resellers, so our findings and recommendations carry no product agenda

• Realistic, sector-specific scenarios built for your environment, not generic scripts

• Findings written to support audit evidence and board reporting, so one exercise serves several needs

• Based in Brisbane, working with clients across Queensland, Australia, and APAC

• Practical and outcome-focused, not theatre

Frequently asked questions

How long does a tabletop take? The exercise itself usually runs from two hours to a full day, depending on the scenario, the number of participants, and the depth of challenge. Scenario design happens beforehand and the after-action report follows. Allow a few weeks end to end for a tailored exercise and report.

Is it run remotely or onsite? Both work well. We run tabletops remotely, onsite, or as a hybrid. For organisations in Brisbane and across South East Queensland, onsite delivery is straightforward where it adds value.

Who should take part? It depends on the scenario. An incident response exercise often involves IT, security, legal, communications, and an executive sponsor. A business continuity or disaster recovery exercise pulls in business unit leads and operations. We help you set the participant list during scoping so the right decision-makers are in the room.

How often should we run one? Annual exercising is standard practice and is what most frameworks, regulators, and insurers expect. It is also worth running an exercise after a significant change to your systems, your team, or your threat profile, and after any real incident to test the lessons learned.

Do we need plans in place first? It helps, but it is not essential. If you have documented plans, we test them. If your plans are immature or missing, a tabletop is a fast way to expose what you need and to build the case for developing them.

How does this relate to ISO 27001? ISO 27001 expects incident response and ICT readiness for business continuity to be tested, not just written down. A facilitated tabletop with a written report is direct evidence for your auditor, and we map findings back to the relevant controls so the work supports certification rather than duplicating it.

Get in touch

Want to know whether your plans hold up under pressure? Contact us to arrange a no-obligation scoping conversation about the right exercise for your team and your obligations.