Effective CISSP Questions

Your organization intends to evaluate the effectiveness of the business continuity plan by conducting an exercise where the participants review a brief scenario, then are asked questions related to the scenario, discuss each question, and formulate an answer based on what they would really do in the situation. The response is then compared with the organization’s policies, procedures, and guidelines to identify any discrepancies or deficiencies. Which of the following best describes the exercise? (Wentz QOTD)
A. Tabletop
B. Checklist
C. Simulation
D. Functional drill

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Tabletop.

I wrote this question as a reminder that validating a plan entails entails “exercises” and “tests,” and many conventions for categorizing exercises exist.

Test Disaster Recovery Plans (DRP)
Test Disaster Recovery Plans (DRP)

Plans need to be exercised or tested to be effective. The terms “test” and “exercise” are often used interchangeably. However, there are various perspectives or definitions of exercises and tests against plans.

Exercise and Test

  • According to ISO 22300, an “exercise” is the “process to train for, assess, practice, and improve performance in an organization.” A “test” is a “unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the aim or objectives of the exercise being planned.” An exercise does not need an expectation of pass or fail.
  • According to NIST SP 800-84, an “exercise” is a simulation of an emergency designed to validate the viability of one or more aspects of an IT plan, while “test” is reserved for testing systems or system components; it is not used to describe “exercising” plans.

Exercising and Testing Plans

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through, and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises.

There are many conventions for categorizing exercises.

For example, some people use “tabletop exercises” to refer to discussion-based exercises in general, while other people consider “tabletop exercises” to refer to a specific type of discussion-based exercise, and use additional terms for other exercises (e.g., “seminar exercises” for exercises that combine training lectures and group discussion).

Similarly, the term “functional exercise” can be thought of as a generic term for exercises involving simulated operations, or it can be thought of as a specific type of operational exercise, with other terms used for other exercise types (e.g., “command post exercise” for something very similar to a functional exercise that focuses on senior management’s decision-making).

The definitions used in this publication are not meant to be definitive, but rather to provide a basis for subsequent discussions of exercises in the publication. For more information on other types of exercises, see the extensive documentation provided at the Homeland Security Exercise and Evaluation Program (HSEEP) Web site, located at

Source: NIST SP 800-84

Tabletop Exercise

Tabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources. Section 4 contains detailed information about tabletop exercises. (NISP SP 800-84)

Functional Exercise

Functional exercises allow personnel to validate their operational readiness for emergencies in a simulated operational environment. Functional exercises are designed to exercise the roles and responsibilities of specific team members, procedures, and assets involved in one or more functional aspects of an IT plan (e.g., communications, emergency notifications, IT equipment setup). Functional exercises vary in complexity and scope, from validating specific aspects of a plan to full-scale exercises that address all plan elements. Functional exercises allow staff to execute their roles and responsibilities as they would in an actual emergency situation, but in a simulated manner. Section 5 contains detailed information about functional exercises. (NISP SP 800-84)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您的組織打算進行一項演練(exercise)以評估業務持續計晝的有效性,該演練的參與者檢視(review)一個簡短的情境(scenario),然後再向他們詢問與有關的問題,之後再討論每個問題,並根據他們在該情境中實際願意採取的行動來回答。 然後再將他們的回應與組織的策略、過程和準則進行比較,以識別任何差異或缺陷。 以下哪項最能描述這個演練?(Wentz QOTD)
A. Tabletop
B. Checklist
C. Simulation
D. Functional drill

Leave a Reply