Crisis Tabletop Exercise — Test Your Plan Before a Real Incident Does
We bring your team around a realistic scenario. We see what holds. We document what doesn't.
In-person only — Quebec and Ontario. Because a crisis exercise plays out in glances, silences, and hesitations, not behind muted cameras.
A crisis tabletop exercise is a facilitated simulation of a major incident — ransomware, disaster, loss of a critical supplier, internal fraud, data breach — played around a table with your leadership, IT team, and key partners. Factero designs a realistic scenario adapted to your industry, runs it hour by hour, documents the decisions made and the blind spots exposed, and delivers a report, prioritized action plan, leadership readout, and formal attestation transmissible directly to your cyber insurer. The exercise can stand alone or fit within a broader engagement (BCP/DRP, ISO 27001 / CAN/DGSI 104 / SOC 2 certification, cyber insurance support). No plan survives first contact with a real incident unless tested — the point of the tabletop is to surface the surprises in the meeting room, not in the middle of the chaos.
Who is it for?
Municipalities, MRCs, townships and public bodies needing to demonstrate tested operational resilience to their council, citizens, or auditor. Factero Advisory Services is registered on the SEAO (Quebec) and the Ontario Tenders Portal (Ontario).
Technology SMEs, SaaS vendors and digital companies wanting to validate that their leadership team knows what to do the morning it all burns down — not just their IT team.
Regulated vendors (health/TGV, defence/CPCSC, education, financial services) where documented exercise evidence is required by the regulatory framework or by corporate clients.
Organizations pursuing certification (ISO 27001, SOC 2, CAN/DGSI 104) required to provide evidence of a continuity exercise conducted within the year — a deliverable explicitly expected by auditors.
Organizations that recently experienced an incident and want to replay the scenario in calm to formalize lessons learned — often requested by the insurer after a claim.
Boards and leadership teams seeking an independent governance test — a concrete, documented demonstration of the organization's ability to manage a crisis, not a reassuring PowerPoint.
Organizations whose cyber insurer explicitly requires proof of an annual tabletop exercise for policy underwriting or renewal.
When does it help?
If you recognize yourself in any of these situations, this service is designed for you.
- You have a recovery plan on paper — but no one knows if it would hold under pressure, and no one wants to be the person who finds out during a real incident.
- Your auditor (ISO 27001, SOC 2, CAN/DGSI 104, TGV) asks for documented evidence of a continuity exercise conducted within the year — without it, your certification can be blocked or delayed.
- Your cyber insurer requires a tabletop exercise attestation to underwrite, renew, or maintain your current coverage limits.
- You experienced an incident in the past 12 months and your leadership (or board) wants to formalize lessons learned before they evaporate into routine.
- Your organization changed significantly since the last exercise — new critical suppliers, major cloud migration, fast growth, new site, acquisition — and your plan hasn't kept up.
- You want to test your executive team on its ability to make decisions under pressure — who decides on paying a ransom? Who notifies the CAI (Law 25)? Who speaks to the media? Who calls the insurer first? These questions shouldn't surface mid-incident.
- You know your IT team has a plan — but leadership, HR, legal, and communications weren't involved in building it, and those are exactly the functions called on during a real incident.
- You're pursuing certification (ISO 27001, SOC 2, CAN/DGSI 104) and the tabletop exercise is one of the last deliverables to produce before the certification audit.
What will you receive?
A realistic scenario designed bespoke for your organization, drawn from our library of 5 main families: ransomware, major disaster (fire, flood, datacenter outage), loss of a critical supplier, internal fraud, data breach with mandatory CAI notification (Law 25).
In-person facilitation by a Factero principal, in half-day or full-day format depending on your organization's complexity and the number of stakeholders involved (leadership, IT, HR, legal, communications, primary provider, key partners).
A detailed observation report documenting hour by hour the decisions made, the hesitations, the gray zones identified, the unclear responsibilities, and the gaps between the documented plan and the actual observed behavior.
A prioritized action plan by urgency and impact: fixes to apply within 30 days, within 90 days, within 12 months. Not a generic list — each action is tied to a concrete observation from the exercise.
A dedicated leadership readout — a 60- to 90-minute session presenting findings to executive leadership (and the board if relevant) in governance language, not technical jargon. This is often where strategic decisions are made.
A formal attestation documenting the date, duration, participants, scenario played, and exercise scope — formatted to be transmitted directly by your broker to your cyber insurer, or filed in your audit evidence (ISO 27001, SOC 2, CAN/DGSI 104, TGV).
A comparative analysis against your existing recovery plan (if you have one): what held, what didn't, what wasn't anticipated. If you don't have a plan, the report lays out the basic structure.
Not a good fit?
- If you're looking for an exercise over video conference, we're not the right address. Our choice is deliberate: a serious tabletop plays out in person because the value of the exercise lives in non-verbal language — the eyes that avoid each other when a hard question lands, the awkward silences, the hesitations cameras don't capture. Video conferencing is useful for many things; not for this service.
- If you want a full-theater exercise with professional actors, fake media alerts, and simulated journalists, that's not our format. These exercises have their value — but they cost significantly more and aren't required for most organizations. We can point you to the right partners if that's what you need.
- If your goal is to tick a box for a client or insurer without intent to act on findings, we'll likely frustrate you. The Factero report documents blind spots — including the ones leadership would rather not see. This isn't a PR exercise.
- If you're outside Quebec and Ontario, we typically don't travel — consistent with our in-person stance and our SEAO / Ontario Tenders Portal registrations. For exceptional mandates elsewhere in Canada, we discuss it at the discovery call.
How does the process work?
A rigorous and transparent approach, step by step.
Scoping and scenario selection
We start by looking at your context: industry, size, IT setup, critical suppliers, past incidents, contractual or regulatory requirements. We then identify, within our library of 5 scenario families (ransomware, major disaster, loss of a critical supplier, internal fraud, Law 25 data breach), the one most relevant to you — or the one your insurer or auditor specifically requires. The scenario is then personalized with realistic elements from your environment: system names, named suppliers, plausible calendar constraints.
Building the panel
We define with you who needs to be at the table. Too few people and the exercise lacks realism; too many and the dynamic stalls. A good tabletop typically gathers 6 to 12 people: leadership (CEO, CFO, or delegate), IT (lead and one operational), HR, legal, communications, primary provider (sometimes), and one or two key partners. This choice shapes the quality of the exercise as much as the scenario itself.
Running the simulation
In person, over a half-day or full day, we unfold the scenario hour by hour. At each step, we inject new elements — a client call, an insurer request, a CAI message, a journalist on the line — and we observe what your teams decide, who speaks, who hesitates, where the gray zones are. Our role: ask precise questions at the right moment, advance the scenario without guiding answers. In-person delivery is essential: it's in the non-verbal cues that the real lessons hide.
Documentation and reporting
During the exercise, a second Factero principal documents continuously: decisions, durations, hesitations, blind spots, divergences from the official plan. This documentation becomes the raw material for the report — a precise, factual, dated deliverable describing what happened, not a post-hoc interpretation. The report includes prioritized recommendations by horizon (30/90/365 days) and the formal attestation transmissible to your insurer or filed in your audit evidence.
Leadership readout
Once the report is finalized, we organize a dedicated session with leadership (and the board if relevant), 60 to 90 minutes, in person. We present findings in governance language — not technical jargon — and facilitate the conversation on strategic decisions to make: should some supplier contracts be revisited? Do cyber coverage limits need adjusting? Should a formal plan be documented where one didn't exist? These conversations are often the real deliverable.
Attestation and follow-through
We deliver the formal attestation of the exercise — a short document (1 to 2 pages) recording the date, duration, scenario, participants, scope, and conclusion. This document is directly transmissible to your insurance broker for cyber policy underwriting or renewal, or filed in your audit evidence (ISO 27001, SOC 2, CAN/DGSI 104, TGV). We remain available to implement the action plan if you wish — or step aside if your team can take over.
Frequently Asked Questions
Answers to the questions our clients ask before reaching out.
What's the difference between a tabletop and a backup test?
The backup test verifies one technical thing: do my data come back? The tabletop answers a governance question: who decides what, when, how, in what order — when everything is on fire. The technical test engages your IT team in an isolated environment for a few hours. The tabletop engages your leadership, IT, HR, legal, communications, sometimes your primary provider — around a table, for a half-day or full day. Factero offers both, and they're complementary: a successful technical test with a catastrophic tabletop means your data will come back but no one will know what to do with it. And vice versa. If you must pick one to start with, your situation decides: the insurer asks for one, the auditor often asks for both, the board typically wants the tabletop first because that's what shows up in governance.
Why in person only?
Because half the value of a tabletop lives in what isn't said. When the scenario opens with "you just learned the leak came from an internal employee, someone in this room will have to decide what to do about it," what happens next isn't in the words — it's in the eyes that avoid each other, the silences that stretch, the person who quietly glances at their phone, the hesitation between two people about who answers. These signals are the raw material of the report. Video conferencing flattens all of this: cameras are off, people multitask, silence becomes just a frozen signal. In-person isn't a constraint, it's our methodological choice. There are excellent virtual formats for other types of exercises — but not for a serious tabletop. Our range: Quebec and Ontario.
How long does a tabletop last? Half-day or full day?
It depends on your organization's complexity and the number of stakeholders at the table. A half-day (3-4 hours) is sufficient for a smaller SME with a single scenario and 6 to 8 participants — narrow leadership, IT team, legal. A full day (7-8 hours) is typically needed for a larger organization, a multi-thread scenario (e.g., ransomware + data breach + media communications), or a broader panel of 10-12 people including suppliers and partners. Factero assesses the right format during the discovery call, looking at the target scenario and participant list. We never push for a full day if a half-day suffices — a tabletop that drags loses its intensity.
What scenarios are available in your library?
Factero offers 5 main scenario families, each personalized to your context: (1) Ransomware — your servers are encrypted on a Monday morning, the MSP is unreachable, a critical client has a delivery due in 48 hours; (2) Major disaster — fire, flood, datacenter outage, loss of physical access to your facilities for several days; (3) Loss of a critical supplier — your main cloud provider goes bankrupt, suffers a major incident, or unilaterally terminates the contract; (4) Internal fraud — a key employee diverts funds, exfiltrates data, or facilitates access for an external actor; (5) Data breach with mandatory CAI notification (Law 25) — loss or disclosure of personal information with the 72-hour notification clock ticking. Each scenario is adapted to your industry: a ransomware in a municipality doesn't play out like in a SaaS SME. If your case doesn't fit any of the five families, we discuss it at the discovery call.
Our MSP also offers tabletop exercises. What's the difference with Factero?
Running a crisis exercise on its own client puts the MSP in a delicate position: the facilitator is partly assessing its own work. When the scenario exposes a gap in daily IT operations, who will honestly call it out if the facilitator is precisely the person operating that IT? When the scenario reveals a communication breakdown between MSP and client, who will have an interest in documenting it clearly in the report? Facilitator independence isn't a luxury, it's a condition for the exercise's validity — exactly like for an independent audit. Factero has no commercial ties to your MSP or any technology vendor: we design the scenario, we facilitate, we document. Your MSP can (and should) be a participant in the exercise — that's often one of the most useful revelations. But facilitator and participant cannot be the same person.
What exactly is the insurer attestation?
A formal 1- to 2-page document attesting that the exercise took place, how it went, and what it covered — directly transmissible by your broker to your cyber insurer. Many organizations run the tabletop, leave with an internal report — and when the insurer asks for proof, they transmit 40 pages that also contain the blind spots identified (not always desirable). The Factero attestation is designed to answer precisely what the insurer wants to know: exercise date, duration, main scenario, participants by function (not by name), scope, overall conclusion. It's also accepted as audit evidence for ISO 27001, SOC 2, CAN/DGSI 104, TGV certifications — which often require proof of a continuity exercise conducted within the year. It's a deliverable separate from the detailed report you keep internally to drive corrective actions.
How often should we redo a tabletop?
The accepted practice is annual for most organizations, more frequent after a major change. The main standards — ISO 27001, SOC 2, CAN/DGSI 104 — typically require evidence of a continuity exercise at least once per year. Cyber insurers also increasingly require annual attestation to maintain coverage limits. Beyond this formal cadence, several triggers justify an out-of-cycle exercise: a lived incident (replay in calm to formalize lessons), a major transformation (cloud migration, acquisition, MSP change), a leadership change (the tabletop also tests new team cohesion under pressure), a corporate client requirement. Factero recommends varying scenarios from one exercise to the next — replaying the same scenario every year dilutes learning. The library of 5 families is designed for this.
We don't have a formal recovery plan yet. Can we still run a tabletop?
Yes — and in many cases, that's actually the best entry point. Building a recovery plan "in a vacuum" before any exercise often produces a theoretical document that doesn't survive first contact with reality. Conversely, running a tabletop with your organization without a preexisting plan reveals exactly where the real needs are: which decisions must be documented, which roles need clarifying, which communications must be prepared in advance. The report and action plan following the exercise then become the base structure of a recovery plan tailored to your reality — not a generic template. If you're pursuing certification (ISO 27001, SOC 2, CAN/DGSI 104), Factero can extend the engagement to structure the full plan from the tabletop findings.
Who needs to participate? Just IT?
No — and that's exactly the most common mistake. A tabletop limited to IT only tests technical recovery capability — useful, but incomplete. In a real major incident, it's the non-IT functions that decide: leadership decides on paying a ransom, legal handles CAI notification (Law 25) and communications with authorities, HR handles internal communications and employee wellbeing, communications handles media and clients, finance handles emergency cash flow and insurer contacts. A good tabletop gathers 6 to 12 people covering: leadership (CEO or delegate), IT (lead + operational), legal, HR, communications, sometimes finance, sometimes primary provider, sometimes 1 or 2 key partners. Factero defines the optimal panel composition during the discovery call based on your organization.
Is it confidential?
Yes, and it's particularly important for this service. The exercise surfaces operational blind spots and sometimes internal tensions you don't want circulating. Each engagement is governed by a formal confidentiality agreement signed before any work begins. The detailed report never leaves your organization without your explicit authorization. The insurer-transmissible attestation is deliberately designed to contain only the necessary factual elements (date, duration, scenario, participants by function, scope) — not the detailed findings. You choose what goes out. This rigor is framed by our privacy protection policy and compliant with Law 25 requirements.
Why Factero for this engagement — what sets you apart?
Before signing with a tabletop facilitation firm, verify a few fundamental elements. A serious firm demonstrates them without hesitation and in writing.
The firm itself is certified — Factero holds the CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We apply to our own organization the same standards we support for our clients. A firm guiding you in cybersecurity should, by consistency, hold one itself.
Incorporated and established since 2022 — Factero Service Conseil is duly incorporated with the Quebec Enterprise Registrar (REQ) since 2022, with no insolvency or bankruptcy proceedings on record. The legal status of any candidate firm can be verified free of charge through the REQ; insolvency and bankruptcy proceedings appear in the registry of the Office of the Superintendent of Bankruptcy Canada (osb-bsf.ic.gc.ca).
Complete team and operational continuity — Factero relies on an interdisciplinary team covering information technology, human resources, and accounting — the three dimensions that intersect in most governance engagements. A structuring engagement extends over several months; the firm supporting you must have the team depth to go the distance, not just the availability of a single person.
Professional liability and cyber insurance — Factero maintains active professional liability (E&O) and cyber insurance coverage, adapted to its IT governance and cybersecurity consulting activities. A firm that recommends cyber insurance to you should, by consistency, hold one itself. Ask for the certificate before signing.
Written and public independence — Our engagements are governed by a public Charter of Independence that prohibits commissions, rebates, and commercial arrangements with vendors, brokers, or markets. For a tabletop, this independence is structural: the facilitator cannot also be the party that operates your IT day-to-day, or the exercise loses its validity.
Public procurement registration — Factero is registered with the SEAO (Quebec) and the Ontario Tenders Portal — a process that involves regulatory verifications and up-to-date tax attestations. This is also why our tabletop offer is geographically limited to Quebec and Ontario: we operate where we are officially present.
These criteria are not commercial arguments. They are the minimum conditions to require of any candidate firm. The absence of a clear answer to any of these questions is, in itself, an answer.
Need to move forward on this?
Let's discuss your specific situation. No commitment, just expert advice.