Regulatory Toolkit

ISO 27001:2022
Tabletop Exercise Toolkit

ISO 27001:2022 (updated from 2013) requires organizations to systematically manage information security risks through an ISMS — including documented incident management procedures (Clause 6.8), security awareness training, and continual improvement. With 93 Annex A controls across 4 themes, tabletop exercises are the most effective tool for demonstrating live control testing to certification bodies.

Start Free Today → View Pricing Contact Sales 🎯 Take the Free ISO 27001 Gap Assessment →
⚠️ ISO 27001 certification requires assessment and certification by an accredited certification body (CB). This toolkit supports exercise program design. Certification decisions require formal audits by qualified assessors.
93
Controls
ISO 27001:2022 Annex A
4
Themes
Organizational · People · Physical · Tech
ISO 27001:2022
Updated Standard
Global
All Sectors
Applicability
Understanding ISO 27001:2022
The 2022 revision restructured the standard with modern controls for cloud, threat intelligence, and supply chain risk — making tabletop exercises central to ISMS compliance.
🔄
ISO 27001:2022 — What Changed from 2013
ISO 27001:2022 restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). Notable additions include Clause 5.7 (Threat Intelligence), 8.8 (Vulnerability Management), and 5.23 (Cloud Services Security). The 2022 update reflects the modern threat landscape — making threat-informed tabletop exercises more relevant than ever.
📋
Clause 6.8 — Information Security Incident Management
ISO 27001:2022 Clause 6.8 requires organizations to plan and prepare for managing information security incidents. This explicitly includes defining roles and responsibilities, establishing incident reporting and response procedures, and documenting lessons learned. Tabletop exercises are the standard industry practice for satisfying Clause 6.8 — and Skyhigh generates the documented evidence auditors expect to see.
🎯
ISMS Continual Improvement (Clause 10)
ISO 27001 is built on the Plan-Do-Check-Act (PDCA) cycle, with Clause 10 requiring continual improvement of the ISMS. Post-exercise gap analysis and remediation tracking directly support Clause 10 nonconformity management (10.1) and continual improvement (10.2). A quarterly exercise program with documented improvement tracking is compelling evidence of an active, maturing ISMS.
ISO 27001:2022 Clause & Annex A Control Mapping
How Skyhigh tabletop exercises map to ISO 27001:2022 clauses and Annex A controls — with the type of evidence generated for certification body audits.
ISO 27001:2022 Requirement Description Skyhigh Coverage Evidence Generated
Clause 6.1 — Risks & Opportunities Information security risk assessment and treatment Direct Risk scenario exercises validate risk assessment methodology; risk register updates
Clause 6.8 — IS Incident Management Incident response planning, roles, and documentation Core Exercise = direct Clause 6.8 evidence; AAR documents incident handling procedures
Annex A 5.24 — IS Incident Management Planning & preparation for IS incident mgmt Core IR plan validation; incident classification and escalation procedure testing
Annex A 5.25 — IS Event Assessment Assessing and deciding on IS events Direct Incident classification decision-making exercises; event threshold testing
Annex A 5.26 — Response to IS Incidents Responding to IS incidents Core Response execution evidence; stakeholder communication; containment procedures
Annex A 6.3 — IS Awareness Security awareness training and education Core Each exercise = A 6.3 awareness/training documentation event
Annex A 5.7 — Threat Intelligence Collecting and analyzing threat intelligence Direct Threat-informed exercise design; sector-specific threat scenario validation
Annex A 8.16 — Monitoring Activities Monitoring networks, systems, and applications Supporting Detection capability exercises; monitoring gap identification
Clause 10 — Continual Improvement Nonconformity, corrective action, improvement Direct Gap tracking; remediation plan from AAR; closed findings as improvement evidence
Platform Capabilities for ISO 27001:2022
Skyhigh's platform is purpose-built to generate the documentation and evidence that certification body auditors look for during Stage 1 and Stage 2 ISMS audits.
📋
ISO 27001 Certification-Ready Evidence
Generate a 6-page audit PDF aligned to ISO 27001:2022 — including exercise log, Annex A control coverage matrix, gap analysis, and remediation timeline. Certification body auditors look for evidence of active ISMS operation — a dated exercise with documented findings and improvement actions is exactly what Stage 2 audit interviews require.
Clause 6.8 Annex A Matrix Stage 2 Audit 6-Page PDF
🔄
PDCA Cycle Documentation
ISO 27001's PDCA cycle requires continuous evidence of Plan-Do-Check-Act. Skyhigh exercise programs generate PLAN (exercise schedule with threat scenarios), DO (exercise execution), CHECK (post-exercise gap analysis against ISMS controls), and ACT (remediation tracking to closure). Demonstrate Clause 10 continual improvement with a complete PDCA record.
PDCA Evidence Clause 10 Improvement Tracking Nonconformity Mgmt
🌐
Cross-Framework ISMS Efficiency
ISO 27001 certified organizations typically also face GDPR, NIS2, SOC 2, or sector-specific regulations. Skyhigh exercises generate evidence that maps simultaneously to ISO 27001 Annex A, NIST CSF 2.0, and NIS2 requirements — reducing audit fatigue. One exercise program, multiple framework coverage, integrated evidence packages.
Multi-Framework GDPR Alignment NIS2 SOC 2 Mapping
ISO 27001:2022 Exercise Scenarios
Scenario library covering all major Annex A control themes — from data breaches and ransomware to physical security and supply chain attacks. Each scenario maps directly to relevant clauses and controls.
DATA BREACH · A.5.24–5.26
Personal Data Breach — Regulatory Notification & ISMS Response
Data breach exposing customer personal data triggers ISMS incident response and GDPR/data protection notification requirements. Tests Annex A 5.24 incident management, 5.26 response procedures, notification timelines, DPA reporting, and Clause 6.8 incident documentation.
Clause 6.8 A.5.26 GDPR
RANSOMWARE · A.5.29
Ransomware Attack — Business Continuity & ISMS Activation
Ransomware encrypts critical business systems, triggering BCP activation. Tests Annex A 5.29 (IS during disruption), 5.30 (ICT readiness for BC), incident management procedures, backup restoration, and recovery timeline — with ISMS continual improvement findings documented in AAR.
A.5.29 A.5.30 BCP
CLOUD · A.5.23
Cloud Provider Security Incident — Third-Party Risk Response
A critical SaaS provider suffers a breach affecting multiple tenants including your organization. Tests Annex A 5.23 (cloud services security), third-party incident response, joint investigation, data exposure assessment, and supply chain risk management (A.5.19–5.22).
A.5.23 A.5.19 Third-Party
INSIDER · A.6.3
Insider Threat — Privileged Access Abuse
System administrator abuses elevated access to exfiltrate confidential business information over 3 months. Tests Annex A 8.2 (privileged access rights), 8.18 (use of privileged utility programs), A.6.3 awareness program effectiveness, and detection capability gaps.
A.8.2 A.6.3 Insider
PHYSICAL · A.7
Data Center Unauthorized Physical Access
Unauthorized individual gains access to a co-location data center using tailgating and a stolen access badge. Tests Annex A 7.1–7.4 (physical security perimeter, entry controls, office/facility security), incident classification, and whether physical breaches trigger ISMS incident response procedures.
A.7.1 A.7.2 Physical
SUPPLY CHAIN · A.5.19
Software Supply Chain Attack — Malicious Update
A trusted software vendor's update mechanism is compromised, distributing malicious code to all customers. Tests Annex A 5.19–5.22 (supplier relationships, supplier security policy, supply chain ICT), incident response for software integrity compromise, and third-party risk management processes.
A.5.19 A.5.22 Supply Chain
Audit Evidence Generated
Every Skyhigh exercise automatically produces structured documentation artifacts that map to ISO 27001:2022 certification body expectations.
📋
Clause 6.8 Exercise Record
IS incident management exercise documentation — direct certification body evidence
🗺️
Annex A Control Coverage Matrix
Exercise-to-control mapping showing tested vs. untested Annex A controls
🔄
PDCA Improvement Log
Plan-Do-Check-Act cycle documentation — Clause 10 continual improvement evidence
🎓
Annex A 6.3 Training Record
Dated security awareness training evidence with participant list

Explore the Full Regulatory Toolkit Library

Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

🏛️ CISA CTEP ⚡ NERC CIP 🇪🇺 NIS2 Directive 🇺🇸 NIST CSF 2.0 ⚙️ IEC 62443 🏭 NIST SP 800-82 🏦 DORA ✈️ TSA Directives 🏥 HIPAA / HC3 🛡️ CMMC 2.0 🌐 ISO 27001 🔴 CISA CPG

Start Building Your ISO 27001:2022 ISMS Exercise Program

Clause 6.8 requires documented IS incident management testing. Demonstrate an active ISMS with scheduled, evidenced exercises.

Start Free Today → View Pricing Contact Sales