Does your organization involve internal stakeholders (such as senior executives, legal, and HR) in security tests and exercises?
Explanation
Including key internal stakeholders in security tests and exercises ensures broader organizational awareness and buy-in for security initiatives.
When stakeholders participate, they gain firsthand experience with security challenges, understand potential business impacts, and can better align security priorities with business objectives.
This involvement also helps break down silos between security teams and other departments, creating a more cohesive security culture.
Evidence could include meeting minutes from tabletop exercises showing executive participation, after-action reports from security drills listing stakeholder involvement, or formal security exercise plans that define roles for various internal departments.
Implementation Example
Involve internal stakeholders (e.g., senior executives, legal department, HR) in security tests and exercises as appropriate
ID: ID.IM-02.182
Context
- Function
- ID: IDENTIFY
- Category
- ID.IM: Improvement
- Sub-Category
- Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
Related questions
- Does your organization regularly conduct self-assessments of critical services that incorporate current threat intelligence and adversary tactics, techniques, and procedures (TTPs)?
- Has your organization conducted third-party assessments or independent audits of your cybersecurity program within the past 12 months?
- Does your organization utilize automated tools or systems to continuously evaluate compliance with your established cybersecurity requirements?
- Does your organization have a process to identify and implement improvements to incident response procedures based on findings from exercises, tests, and reviews?
- Does your organization have a formal process to identify and implement improvements to business continuity, disaster recovery, and incident response plans based on exercises conducted with critical service providers and suppliers?
- Does your organization conduct penetration testing on high-risk systems with leadership approval?

