What is frustrating about cyber security is that the benefits of the efforts made in this area are scarcely noticed: no sound is made when an attack is blocked by good preparation! Let us not fool ourselves; the magnitude of the risk is real, and the lack of readiness is often devastating.
I would like to remind everyone as far as protecting information systems is concerned, that readiness is key. I understand that this represents an investment for organisations that also have other realities to consider.
Therefore, the responsibility of the French National Cyber Security Agency (ANSSI) is to support their efforts in this regard and continuously remind them of the importance of cybersecurity issues.
In the face of the threat, organising exercises is crucial. I have seen this with my own eyes! Through training, and with each exercise, the teams involved in crisis management develop their reflexes and better ways of working together. They are then ready to cope when faced with an attack, especially considering the fact that cyber crises each have their specific features. We should not wait for disaster to strike to learn how to deal with it!
This guide will help you in setting up your own training courses. It results from a wealth of experience in organising cyber crisis management exercises developed over the years. I hope it will help you develop your teams’ skills and thus strengthen your organisation’s resilience.
Director-General of ANSSI
The Club de la Continuité d’Activité (Business Continuity Club, CCA) is an association comprised of more than 80 members, companies and consultancies. Its main purpose is to share best practices on crisis management and business continuity management among members. After more than ten years of existence, the CCA has become a key player in promoting corporate resilience.
Cyber risk, as the theme of one of our last inter-company annual exercises with more than 100 participants and a regular topic in our seminars, particularly crisis communication, is one of our major concerns. As a result of the manifold and severe consequences that cyber risk may have, the subject is regularly analysed and experience in this field shared within all our working groups.
“Talking” and “training” are the two words that drive us as practitioners of crises, business continuity and resilience in our organisations. This guide will allow many organisations to carry out cyber crisis exercises
independently. It provides a very structured basis for understanding this risk, which affects all sectors and organisations of all sizes.
President of the CCA
In the face of an ever growing and ever changing cyber threat, improving digital resilience through training in cyber crisis management is no longer just an opportunity but a necessity for all organisations.
The purpose of this guide is to provide step-by-step support to organisations in setting up a cyber1 crisis management exercise that is credible and will serve as training, for both players and organisers.
It offers a methodology based on the recognised standard of the guidelines for exercises (ISO 22398:2013).
Who is this guide for?
Any private or public organisation, be it small or large, wishing to train in cyber crisis management can consult this guide. More specifically, this guide is for anyone who wishes to organise exercises at the decision-making level2 in order to train its organisation’s crisis unit: the risk managers, those responsible for business continuity, exercises or crisis management, those responsible for the security of information systems (SIS) or equivalent, etc. This guide is not intended to construct exercises that are purely technical, for instance, by providing a complete simulation of an information system (IS) using virtual machines (“cyber range”).
What does it contain?
Four steps accompanied by fact sheets which supplement and illustrate these steps.
Recommendations from the experience of ANSSI and the members of the CCA Crisis Management Work Group.