Organising a cyber crisis management exercise

The purpose of this guide is to provide step-by-step support to organisations in setting up a cyber crisis management exercise that is credible and will serve as training, for both players and organisers.

Publish the 07 September 2021 Updated 07 September 2021
Organising a cyber crisis management exercise - cover

In a context of growing and ever changing cyber threat, it is essential to be prepared to react. For this, the organisation of cyber crisis management exercises is fundamental. Carried out in partnership with the Club de la Continuité d’Activité (Business Continuity Club, CCA) and with the contribution of ENISA, this guide is the result of expertise developed at ANSSI over the years; and the combination of experience in cyber security and crisis management.

In the face of the threat, organising exercises is crucial. I have seen this with my own eyes! Through training, and with each exercise, the teams involved in crisis management develop their reflexes and better ways of working together. They are then ready to cope when faced with an attack.” Guillaume Poupard, Director-General of ANSSI

Who is this guide for?

Any private or public organisation, be it small or large, wishing to train in cyber crisis management can consult this guide. More specifically, this guide is for anyone who wishes to organise exercises at the decision-making level in order to train its organisation’s crisis unit: the risk managers, those responsible for business continuity, exercises or crisis management, those responsible for the security of information systems (SIS) or equivalent, etc. This guide is not intended to construct exercises that are purely technical, for instance, by providing a complete simulation of an information system using virtual machines (“cyber range”).

What does it contain?

  • Four steps accompanied by fact sheets which supplement and illustrate these steps.
  • Recommendations from the experience of ANSSI and the members of the CCA Crisis Management Work Group.
  • A complete exercise as the guide’s main theme called RANSOM20 that is gradually developed to illustrate each step.
  • Annexes, including a glossary defining all the terms used in this guide and that are specific to the exercises.

How can it be used?

The steps can be consulted independently depending on the organisation’s experience and needs in crisis management exercises. This format also makes it possible to consider outsourcing all or part of these steps so that each organisation, regardless of its size and budget, can carry out this type of exercise.

The guideline: RANSOM20
An example exercise (RANSOM20) is developed throughout the guide. It serves to illustrate recommendations made at each step.
To make something that can be used by and adapted for as many people as possible, the example is a ransomware cyber attack. This type of operation is a growing trend affecting organisations of all sizes.
This example is developed in various practical fact sheets which, once compiled, form a complete exercise that can be reused by any organisation. For more information on the RANSOM20 exercise, you can view the scenario (see fact sheet No. 4) or the timetable (see fact sheet No. 6).

This guide is also available in French.