ISO 22398-aligned exercise programme. MSEL injects, evaluator observations, AAR lifecycle, and SAMA mandatory coverage rollup that proves your annual programme covered the themes — automatically, from passing exercises only.
The annual programme tracks SAMA mandatory themes (IT system loss, cyber, critical-vendor unavailability, staff unavailability, workspace disruption). themesCovered = union of coverage_tags across passing exercises. No peer ships this.
Master Scenario Events List — scripted events injected into the exercise to drive decisions. Each inject typed, offset-timed, target-roled. Delivery tracked with actualResponse + performance rating.
Evaluators capture observations during the exercise — strength · improvement · issue · decision · question. Each observation linked to a specific inject + severity. Feeds the AAR.
Each exercise has objectives. Evaluators rate met / partial / not_met / not_evaluated per objective. evaluation.submit() snapshots objectivesMet/objectivesTotal — auditors see the score at-a-glance.
After-Action Reports follow draft → submitted → approved → rejected. SAMA SLA dates auto-computed (AAR +28d, improvement +60d, retest +90d if failed). Audit-evidence chain end-to-end.
Annual programme container with quarterly cadence. Approval workflow (draft → approved). Exercise scheduling rolls up to the programme. Coverage gauge updates as exercises complete.
public.exercises| Column | Type | Clause | Note |
|---|---|---|---|
| code | varchar(50) | Auto-generated EX-YYYY-NNN per tenant per year | |
| format | enum | ISO 22398 | tabletop · walkthrough · simulation · full_scale · drill · parallel · cutover |
| status | enum | draft · scheduled · in_progress · aar_pending · under_review · closed | |
| outcome | enum | pass · partial · fail · inconclusive · cancelled | |
| scenario_id | uuid | FK scenarios — coverage_tags drive programme rollup | |
| programme_id | uuid | FK annual_test_programmes — annual programme membership | |
| actual_end_at | timestamptz | Used to compute SAMA SLA dates | |
| aar_due_at | timestamptz | §9.1 | actualEndAt + 28 days (SAMA) |
| improvement_plan_due_at | timestamptz | §10.1 | actualEndAt + 60 days (SAMA) |
| retest_due_by | timestamptz | actualEndAt + 90 days when outcome=fail |
public.exercise_injects| Column | Type | Clause | Note |
|---|---|---|---|
| sequence | int | Auto-incremented per exercise | |
| inject_type | enum | ISO 22398 | scenario · decision · info · reference |
| offset_minutes | int | Minutes from exercise start | |
| title | varchar(255) | Inject summary | |
| expected_response | text | What participants should do | |
| target_roles | text[] | Which roles this inject is for | |
| delivered_at | timestamptz | When facilitator delivered the inject | |
| delivered_by | uuid | FK users — facilitator | |
| actual_response | text | What participants actually did | |
| performance_rating | enum | correct · partial · incorrect · missed · not_evaluated |
| Clause | What it asks for | BCMStack surface |
|---|---|---|
| §8.5 | Exercising and testing | Full exercise lifecycle: draft → schedule → start → complete → AAR |
| ISO 22398 §6 | Exercise design (MSEL, scenarios) | exercise_injects + scenarios library |
| ISO 22398 §7 | Exercise conduct | Inject delivery tracking + observations |
| ISO 22398 §8 | Exercise evaluation (AAR) | exercise_evaluations with full lifecycle |
| §9.1 | Performance evaluation | Programme detail view + objective evaluations |
| §10.1 | Improvement actions from exercises | Auto-linked from observations to improvement_actions |
How the Exercise Programme compares to peer platforms
SAMA expects the annual programme to cover specific themes — IT system loss, cyber, critical-vendor unavailability, staff unavailability, workspace disruption. BCMStack tracks every scenario's coverage_tags and computes the union across passing/partial exercises in the programme. The programme detail view shows themesCovered vs themesRequired in real time. No peer ships this.
Master Scenario Events List — the timeline of scripted events injected into an exercise to drive participant decisions. Each inject has type (scenario / decision / info / reference), offset minutes from start, expected response, target roles, and a delivery record (deliveredAt, deliveredBy, actualResponse, performance rating). Standard ISO 22398 §6 method.
After-Action Reports follow a draft → submitted → approved → rejected lifecycle. complete() seeds a draft AAR row. Evaluators rate objectives (met / partial / not_met). evaluation.submit() snapshots objectivesMet/objectivesTotal and flips the exercise to under_review. evaluation.approve() stamps approvedBy/approvedAt. SAMA SLA dates auto-computed (+28d AAR, +60d improvement, +90d retest if failed).
All seven ISO 22398 types: tabletop, walkthrough, simulation, full-scale, drill, parallel, cutover. Each can be linked to one or more BCPs, DRPs, risks, departments, vendors. The DR-specific capture (failover, RTO/RPO actuals, data integrity, failback) is a separate sub-router available on cutover and parallel exercises.