ISO 22398-aligned exercise programme. MSEL injects, evaluator observations, AAR lifecycle, and SAMA mandatory coverage rollup that proves your annual programme covered the themes — automatically, from passing exercises only.
The annual programme tracks SAMA mandatory themes (IT system loss, cyber, critical-vendor unavailability, staff unavailability, workspace disruption). themesCovered = union of coverage_tags across passing exercises. No peer ships this.
Master Scenario Events List — scripted events injected into the exercise to drive decisions. Each inject typed, offset-timed, target-roled. Delivery tracked with actualResponse + performance rating.
Evaluators capture observations during the exercise — strength · improvement · issue · decision · question. Each observation linked to a specific inject + severity. Feeds the AAR.
Each exercise has objectives. Evaluators rate met / partial / not_met / not_evaluated per objective. evaluation.submit() snapshots objectivesMet/objectivesTotal — auditors see the score at-a-glance.
After-Action Reports follow draft → submitted → approved → rejected. SAMA SLA dates auto-computed (AAR +28d, improvement +60d, retest +90d if failed). Audit-evidence chain end-to-end.
Annual programme container with quarterly cadence. Approval workflow (draft → approved). Exercise scheduling rolls up to the programme. Coverage gauge updates as exercises complete.
Two records carry the weight of a defensible exercise programme — the exercise itself, and every inject delivered inside it. Here's what's recorded for each, in plain terms.
Auto-generated identifier (EX-2026-007) — every tenant gets its own yearly sequence so codes are stable and unique.
Tabletop · Walkthrough · Simulation · Full-scale · Drill · Parallel · Cutover. The full ISO 22398 taxonomy — programme owners can prove they exercised at every level.
Lifecycle status (Draft → Scheduled → In progress → AAR pending → Under review → Closed) plus the verdict (Pass · Partial · Fail · Inconclusive · Cancelled). Lets programme reviews answer 'did we exercise it, and did it work?' in one query.
Each exercise is tied to a scenario (whose coverage tags drive rollup) and an annual test programme — so the programme report writes itself.
After-Action Report deadline computed as actualEnd + 28 days (SAMA). The clock starts the moment the exercise ends, no manual data entry needed.
Improvement plan deadline computed as actualEnd + 60 days (SAMA). Same automatic clock, different SLA.
When outcome=Fail, a retest deadline is auto-set to actualEnd + 90 days. The system won't let a failed exercise quietly age out.
Example
EX-2026-007 — Annual cyber tabletop
Auto-incremented per exercise so the master event list reads in order under facilitator pressure.
Scenario · Decision · Info · Reference. The four families ISO 22398 uses to structure a MSEL.
Minutes from exercise start — facilitators run from the clock, not a wall calendar.
What's injected and what participants should do. The benchmark the evaluator scores against.
Which roles this inject is aimed at. Lets evaluators confirm the right team got the right stimulus.
Facilitator and timestamp captured the moment the inject lands. Late or skipped injects show up automatically in the AAR.
What participants actually did, captured live. The evidence trail that turns 'we ran a tabletop' into 'here's what happened'.
Correct · Partial · Incorrect · Missed · Not evaluated. Aggregates into the exercise outcome and the year-over-year team-performance trend.
Example
Inject #6 — 'Press calling for comment'
| Clause | What it asks for | BCMStack surface |
|---|---|---|
| §8.5 | Exercising and testing | Full exercise lifecycle: draft → schedule → start → complete → AAR |
| ISO 22398 §6 | Exercise design (MSEL, scenarios) | exercise_injects + scenarios library |
| ISO 22398 §7 | Exercise conduct | Inject delivery tracking + observations |
| ISO 22398 §8 | Exercise evaluation (AAR) | exercise_evaluations with full lifecycle |
| §9.1 | Performance evaluation | Programme detail view + objective evaluations |
| §10.1 | Improvement actions from exercises | Auto-linked from observations to improvement_actions |
How the Exercise Programme compares to peer platforms
SAMA expects the annual programme to cover specific themes — IT system loss, cyber, critical-vendor unavailability, staff unavailability, workspace disruption. BCMStack tracks every scenario's coverage_tags and computes the union across passing/partial exercises in the programme. The programme detail view shows themesCovered vs themesRequired in real time. No peer ships this.
Master Scenario Events List — the timeline of scripted events injected into an exercise to drive participant decisions. Each inject has type (scenario / decision / info / reference), offset minutes from start, expected response, target roles, and a delivery record (deliveredAt, deliveredBy, actualResponse, performance rating). Standard ISO 22398 §6 method.
After-Action Reports follow a draft → submitted → approved → rejected lifecycle. complete() seeds a draft AAR row. Evaluators rate objectives (met / partial / not_met). evaluation.submit() snapshots objectivesMet/objectivesTotal and flips the exercise to under_review. evaluation.approve() stamps approvedBy/approvedAt. SAMA SLA dates auto-computed (+28d AAR, +60d improvement, +90d retest if failed).
All seven ISO 22398 types: tabletop, walkthrough, simulation, full-scale, drill, parallel, cutover. Each can be linked to one or more BCPs, DRPs, risks, departments, vendors. The DR-specific capture (failover, RTO/RPO actuals, data integrity, failback) is a separate sub-router available on cutover and parallel exercises.