Two Years Running: Gartner spotlights Microsimulations in the Hype Cycle for Legal, Risk, Compliance and Audit Technologies (2024 & 2025)
More
COMPLIANCE & REGULATION

Map Your Testing Obligations to Practiced Evidence

How iluminr's scenario-testing and exercise layer maps to the clauses regulators examine you against. Select a framework.

European Union In force 17 Jan 2025

Microsimulations for DORA

Digital Operational Resilience Act - Regulation (EU) 2022/2554

In one line

The Digital Operational Resilience Act requires financial entities in the EU to maintain a digital operational resilience testing programme that includes scenario-based testing of ICT tools, systems, and business continuity plans.

What DORA requires

DORA applies to virtually every financial entity in the EU - banks, insurers, investment firms, payment institutions, crypto-asset service providers - plus critical ICT third-party providers. Chapter IV establishes the testing programme.

Article 24 - maintain a sound, comprehensive testing programme within the ICT risk framework, risk-based in priority and frequency
Article 25 - include scenario-based tests, end-to-end testing, performance testing, vulnerability assessments, gap analyses, and penetration testing
Article 26 - advanced threat-led penetration testing (TLPT) for significant entities, at least once every three years
Article 11(6) + RTS - periodically test ICT business continuity plans against severe-but-plausible scenarios, including ICT third-party provider failure
Requirement Mapping

How iluminr maps to DORA

DORA requirement
iluminr capability
Article 25 - scenario-based tests
Multiplayer Microsimulations and Expert-Led Simulations running severe-but-plausible ICT scenarios
Article 25 - end-to-end testing of response
Cross-functional team simulations spanning detection, escalation, response, and recovery
Article 11(6) - ICT business continuity plan testing
Scenario-based BCP exercises with documented decision logs and post-exercise reporting
Article 11(6) RTS - ICT third-party scenarios
Library scenarios covering third-party outages, ICT supplier insolvency, and concentration risk
Article 24 - risk-based programme with documented results
Unified Capability Intelligence reporting layer producing audit-ready evidence
Management body reporting
Executive dashboards showing capability over time, by function and scenario type
FAQ

DORA questions

Does iluminr satisfy all of DORA's testing requirements? +
iluminr covers the scenario-based and BCP testing requirements in Articles 24, 25, and 11(6). TLPT under Article 26 is a specialist penetration testing engagement conducted by external red teams - iluminr complements this by building the decision-making and response capability that TLPT then validates.
How often should we run scenario-based tests under DORA? +
DORA requires testing to be risk-based in frequency. Most significant entities run quarterly multiplayer drills, monthly single-player reps for high-exposure populations, and an annual expert-led simulation for the management body. The RTS on ICT risk management specifies BCP tests at least annually.
Can iluminr scenarios cover ICT third-party risk? +
Yes. The iluminr library includes purpose-built scenarios for critical third-party outages, ICT supplier insolvency, and concentration risk across cloud providers and payment infrastructure - directly addressing the RTS requirement to test severe-but-plausible third-party disruption.
What evidence does iluminr produce for DORA audits? +
Every Microsimulation generates a structured evidence record: scenario metadata, participant responses, decision quality scores, time-to-decision, identified gaps, and post-exercise findings. Capability Intelligence aggregates this into an audit-ready reporting layer showing testing frequency, scope, and outcomes over time.
Related Microsimulation Operational Resilience Testing Expert-Led Simulations
The full landscape
Explore all 45+ frameworks across five tiers

Filter the global regulatory universe by region and requirement type, and open any framework for detail.

Open the directory →
United Kingdom In force 31 Mar 2022

Microsimulations for UK Operational Resilience

FCA PS21/3 / PRA PS6/21 - Building Operational Resilience

In one line

UK regulators require firms to identify their important business services, set impact tolerances, and demonstrate through scenario testing that they can remain within those tolerances during severe but plausible disruption.

What UK Op Res requires

The FCA, PRA, and Bank of England jointly require in-scope firms - banks, insurers, major investment firms - to embed operational resilience across governance, risk management, and testing. By March 2025, firms must have demonstrated they can operate within impact tolerances.

Important Business Services - map and define the services whose disruption would cause intolerable harm to customers or financial stability
Impact tolerances - set the maximum tolerable disruption duration for each service, and test whether they are achievable
Scenario testing - use severe but plausible scenarios to identify vulnerabilities; the 2021 policy statement explicitly names cyber, third-party failure, and pandemic-type scenarios
Self-assessment document - maintain a board-approved document evidencing the testing programme, findings, and remediation
Lessons learnt - embed lessons from exercises and real events back into resilience improvement
Requirement Mapping

How iluminr maps to UK Op Res

UK requirement
iluminr capability
Scenario testing of important business services
Expert-Led Simulations built around the firm's actual services, tolerances, and interdependencies
Validating impact tolerances are achievable
Scenario injects that pressure-test recovery timelines against documented tolerance thresholds
Cyber and third-party disruption scenarios
Library of severe-but-plausible scenarios including cyber attacks, cloud provider outages, and supplier failures
Board and senior management engagement
Executive simulation format places management body directly in scenario decision-making
Self-assessment evidence
Structured exercise records, decision logs, and Capability Intelligence reports supporting the board self-assessment document
FAQ

UK Op Res questions

What counts as a "severe but plausible" scenario under UK Op Res? +
The FCA and PRA guidance references scenarios that are realistic but not routine - cyber attacks causing extended system outage, critical third-party failure, and simultaneous multi-site disruption. Scenarios should be calibrated to the firm's own risk profile and important business services, not generic templates.
Do Microsimulations satisfy the FCA/PRA expectation for scenario testing? +
Yes, where they are designed around the firm's important business services and impact tolerances. Multiplayer Microsimulations and Expert-Led Simulations produce the structured evidence - scenario design rationale, participant decision records, identified gaps, and remediation tracking - that the self-assessment document requires.
How does iluminr support board-level engagement with Op Res? +
Expert-Led Simulations are designed for executive and board committee audiences. They place senior decision-makers inside a realistic scenario built around the firm's actual services and tolerances, producing a direct experience of the decisions they would face - and structured evidence of their response capability for the self-assessment document.
Related Expert-Led Simulation Operational Resilience Testing Decision Assurance
The full landscape
Explore all 45+ frameworks across five tiers

Filter the global regulatory universe by region and requirement type, and open any framework for detail.

Open the directory →
Australia In force 1 Jul 2025

Microsimulations for APRA CPS 230

Prudential Standard CPS 230 - Operational Risk Management

In one line

CPS 230 requires APRA-regulated entities to maintain and regularly rehearse business continuity plans, test their ability to continue critical operations through severe disruption, and produce evidence of testing outcomes for board and APRA review.

What CPS 230 requires

CPS 230 applies to all APRA-regulated entities - banks, insurers, superannuation funds - and their material service providers. It replaces CPS 232 (Business Continuity Management) and significantly raises the bar for testing rigour and evidence.

BCP rehearsals - test business continuity plans at least annually, and more frequently for high-risk operations
Severe but plausible scenarios - scenarios must reflect realistic threats to the entity's critical operations, not just standard outage assumptions
Third-party testing - entities must test continuity arrangements with material service providers, not just assume contractual SLAs will hold
Board oversight - boards must approve the BCP framework and receive regular reporting on testing outcomes and identified gaps
Lessons learnt - findings from testing must feed back into plan improvements with documented remediation
Requirement Mapping

How iluminr maps to CPS 230

CPS 230 requirement
iluminr capability
Annual BCP rehearsals
Multiplayer Microsimulations running BCP activation scenarios with structured decision tracking
Severe but plausible scenario design
Scenario library covering cyber outage, third-party failure, pandemic-type disruption, and natural hazard events
Material service provider continuity testing
Scenarios that explicitly model supplier failure and test internal response when providers cannot recover within tolerance
Board reporting on testing outcomes
Capability Intelligence dashboards showing testing frequency, scenario coverage, decision quality, and gap remediation status
Lessons learnt and remediation tracking
Post-exercise reports with identified gaps automatically tracked through to remediation close-out
FAQ

CPS 230 questions

Does CPS 230 require scenario-based exercises specifically? +
Yes. CPS 230 requires rehearsals of business continuity plans against scenarios that reflect severe but plausible disruption. APRA's guidance emphasises that testing should go beyond desktop reviews to include exercising actual response capability - decision-making, escalation, and coordination under realistic conditions.
How does iluminr help with the third-party testing requirement? +
iluminr includes scenario templates specifically designed to test entity response when a material service provider fails - covering cloud infrastructure, payment processors, and outsourced operations. These scenarios simulate the internal coordination and decision-making required when contractual recovery timelines are not met.
What evidence does iluminr produce for APRA review? +
Every exercise generates a structured record: scenario design, participants, decision quality, time-to-decision, identified gaps, and remediation actions. Capability Intelligence aggregates this into a testing programme view that demonstrates frequency, scenario coverage, and continuous improvement - the evidence base APRA expects to see in reviews.
Related Microsimulation Operational Resilience Testing Capability Intelligence
The full landscape
Explore all 45+ frameworks across five tiers

Filter the global regulatory universe by region and requirement type, and open any framework for detail.

Open the directory →
United States Version 2.0 - Feb 2024

Microsimulations for NIST CSF

NIST Cybersecurity Framework 2.0 - National Institute of Standards and Technology

In one line

NIST CSF 2.0 establishes Govern, Identify, Protect, Detect, Respond, and Recover as the six functions of cybersecurity - and makes exercising response and recovery capability an explicit expectation of the framework, not an afterthought.

What NIST CSF requires

NIST CSF is a voluntary framework adopted widely across US critical infrastructure and financial services. Version 2.0 adds Govern as a sixth function and strengthens expectations around exercising and testing - making the Respond and Recover functions operationally demonstrable rather than policy-based.

RS.AN - Incident analysis activities are performed to characterise incidents and inform response; tabletops and exercises are explicitly referenced
RS.CO - Response activities are coordinated with internal and external stakeholders; exercises validate coordination capability
RC.RP - Recovery plan is executed and maintained, with restoration activities coordinated and communicated
GV.OC - Organisational context and risk tolerance inform the programme; exercises provide empirical data to calibrate both
SP 800-84 - Companion guide specifically defines TTX programs, functional exercises, and full-scale tests as the testing hierarchy
Requirement Mapping

How iluminr maps to NIST CSF

NIST CSF function / subcategory
iluminr capability
RS.AN - incident analysis and response exercises
Single-player and multiplayer Microsimulations placing teams inside realistic cyber incident scenarios
RS.CO - cross-functional coordination
Multiplayer scenarios spanning security, legal, comms, and operations with coordination gap measurement
RC.RP - recovery plan execution
BCP and recovery scenarios that test plan execution under realistic pressure, not just plan review
SP 800-84 TTX programme
Microsimulation format maps directly to TTX and functional exercise levels with structured data output
Continuous improvement cycle
Capability Intelligence produces longitudinal evidence of response improvement across scenario runs
FAQ

NIST CSF questions

Is NIST CSF mandatory for financial services organisations? +
NIST CSF is voluntary as a standalone framework, but it underpins many mandatory US requirements - FFIEC CAT, CISA directives, and state-level cybersecurity regulations all reference or align to it. For most US financial institutions, demonstrating alignment to NIST CSF is effectively expected by examiners and regulators.
How do Microsimulations relate to SP 800-84 exercise types? +
NIST SP 800-84 defines a hierarchy from tabletop exercises through functional exercises to full-scale tests. Microsimulations map to the tabletop and functional exercise levels - they are scenario-based, involve realistic decision-making, and produce structured data outputs that SP 800-84 identifies as the measure of exercise effectiveness.
Can iluminr support NIST CSF self-assessment and measurement? +
Yes. Capability Intelligence provides the empirical data to benchmark response capability against CSF subcategory expectations - showing decision speed, coordination quality, and gap patterns over time. This turns a self-assessment from a policy attestation into an evidence-based measurement.
Related Microsimulation Capability Intelligence Decision Assurance
The full landscape
Explore all 45+ frameworks across five tiers

Filter the global regulatory universe by region and requirement type, and open any framework for detail.

Open the directory →
International Current edition 2019

Microsimulations for ISO 22301

ISO 22301:2019 - Security and Resilience - Business Continuity Management Systems

In one line

ISO 22301 is the international standard for business continuity management - and clause 8.5 explicitly requires organisations to exercise and test their BCM capabilities through exercises that evaluate their response to disruptive incidents.

What ISO 22301 requires

ISO 22301 provides a systematic framework for establishing, implementing, and maintaining a BCMS. Certification requires demonstrated conformance across planning, implementation, and - critically - exercise and evaluation. Clause 8.5 is the exercise requirement.

Clause 8.5 - conduct exercises at planned intervals that test BCM capabilities and verify that business continuity plans are fit for purpose
Exercise types - the standard references tabletops, simulations, and full-scale exercises; the choice should reflect the complexity and risk profile of the organisation
Post-exercise review - document findings, identify improvements, and update plans based on exercise outcomes
Management review - clause 9.3 requires senior management to receive regular reports on BCMS performance, including exercise outcomes
Requirement Mapping

How iluminr maps to ISO 22301

ISO 22301 clause
iluminr capability
Clause 8.5 - exercise programme
Structured Microsimulation programme across single-player, multiplayer, and expert-led formats
Testing plans are fit for purpose
Scenario injects that test whether BCP procedures hold up under realistic disruption conditions
Post-exercise findings and improvement
Structured post-exercise reports with gap identification and remediation tracking
Clause 9.3 - management review reporting
Capability Intelligence dashboards providing senior management with programme performance data
FAQ

ISO 22301 questions

Do Microsimulations count as exercises under ISO 22301 clause 8.5? +
Yes. ISO 22301 clause 8.5 requires exercises that test BCM capabilities - it does not prescribe a specific format. Microsimulations are scenario-based exercises that test decision-making and response capability, produce structured post-exercise evidence, and feed into the improvement cycle the standard requires.
How often do exercises need to run under ISO 22301? +
The standard requires exercises "at planned intervals" - the frequency is risk-based. Certification bodies typically expect at least annual exercises, with many organisations running quarterly Microsimulations for continuous practice and an annual Expert-Led Simulation as the primary certification exercise.
Related Microsimulation Operational Resilience Testing Capability Intelligence
The full landscape
Explore all 45+ frameworks across five tiers

Filter the global regulatory universe by region and requirement type, and open any framework for detail.

Open the directory →
International Current edition 2022

Microsimulations for ISO 27001

ISO/IEC 27001:2022 - Information Security Management Systems

In one line

ISO 27001 requires organisations to test their information security incident response capability - Annex A control 5.24 makes it explicit that incident management procedures must be rehearsed and evidenced, not just documented.

What ISO 27001 requires

ISO 27001 is the international standard for information security management. The 2022 revision introduced new controls around threat intelligence, cloud security, and - relevant here - incident response rehearsal. Annex A controls 5.24 to 5.28 cover the full incident management lifecycle.

Control 5.24 - planning and preparation for information security incident management, including defined roles, responsibilities, and rehearsal of procedures
Control 5.25 - assessment and decision on information security events; teams must demonstrate they can classify and escalate correctly
Control 5.26 - response to information security incidents, with documented procedures that have been tested
Control 5.27 - lessons learnt from incidents and exercises, with evidence that findings inform improvement
Requirement Mapping

How iluminr maps to ISO 27001

ISO 27001 control
iluminr capability
5.24 - incident response rehearsal
Single-player Microsimulations for individual IR readiness; multiplayer drills for team-level rehearsal
5.25 - classification and escalation decisions
Scenarios that test triage accuracy, severity classification, and escalation timing under realistic pressure
5.26 - tested response procedures
Scenario injects that exercise playbooks under conditions where they are most likely to break
5.27 - lessons learnt and evidence
Post-exercise gap reports and Capability Intelligence tracking remediation through to close
FAQ

ISO 27001 questions

Does ISO 27001 require exercises, or just documented procedures? +
The 2022 revision makes it clear that documented procedures alone are not sufficient - control 5.24 specifically requires planning and preparation including rehearsal of incident management procedures. Certification auditors increasingly expect evidence of exercises, not just policy documents.
Can Microsimulations support ISO 27001 certification? +
Yes. Microsimulations produce exactly the evidence auditors look for: scenario design demonstrating risk-based exercise planning, participant records, decision quality data showing procedures were tested, and gap remediation evidence. Many organisations use iluminr exercises as the primary evidence base for Annex A 5.24–5.27 in certification audits.
Related Microsimulation Cyber & Digital Risk Decision Assurance
The full landscape
Explore all 45+ frameworks across five tiers

Filter the global regulatory universe by region and requirement type, and open any framework for detail.

Open the directory →
United States BCM Booklet updated 2019

Microsimulations for FFIEC

Federal Financial Institutions Examination Council - Business Continuity Management Booklet

In one line

FFIEC's BCM Booklet requires US financial institutions to maintain a testing programme that exercises business continuity plans, validates recovery objectives, and provides management with evidence that the institution can withstand realistic disruption scenarios.

What FFIEC requires

FFIEC guidance applies to banks, credit unions, and other US federally regulated financial institutions through examiner-led reviews. The BCM Booklet is the primary reference for examiners assessing continuity and resilience programme maturity.

Testing programme - institutions must maintain a testing programme that includes multiple exercise types - tabletops, functional tests, and integrated enterprise-wide tests
Scenario coverage - scenarios should cover a range of disruption types including cyber events, third-party failures, and natural disasters
Third-party dependencies - test recovery capability when critical service providers are unavailable, not just internal operations
Management reporting - board and senior management must receive regular reports on testing outcomes, identified gaps, and remediation progress
Examiner evidence - examiners expect to see documented exercise records, gap analyses, and evidence that findings are tracked to resolution
Requirement Mapping

How iluminr maps to FFIEC

FFIEC requirement
iluminr capability
Tabletop and functional exercise programme
Microsimulation formats covering single-player, multiplayer, and Expert-Led Simulation levels
Cyber, third-party, and disaster scenarios
Scenario library spanning cyber incidents, provider outages, and natural hazard business disruption
Third-party recovery testing
Scenarios that simulate critical provider unavailability and test institution response when SLAs are breached
Board and management reporting
Capability Intelligence reports showing programme coverage, decision quality, and gap status over time
Examiner-ready documentation
Structured exercise records and audit-ready evidence packages for examination cycles
FAQ

FFIEC questions

What do FFIEC examiners look for in a testing programme? +
Examiners look for evidence that testing is risk-based, covers a range of disruption scenarios, involves the right people (including senior management), produces documented findings, and demonstrates that gaps are tracked to resolution. A programme that only runs annual tabletops and produces a narrative report is increasingly seen as inadequate.
How does iluminr help with FFIEC examination preparation? +
iluminr produces the structured evidence base examiners expect: exercise records with scenario design rationale, participant lists, decision quality data, identified gaps, and remediation tracking. Capability Intelligence provides the longitudinal view of programme maturity that demonstrates continuous improvement - a key examiner expectation.
Can Microsimulations replace full-scale BCM tests? +
Microsimulations complement rather than replace full-scale tests. The FFIEC BCM Booklet expects a tiered programme - Microsimulations provide the frequent, scalable decision-making and coordination practice that builds underlying capability, while full-scale tests validate the complete recovery infrastructure. Most institutions use Microsimulations quarterly and reserve full-scale tests for annual or biennial cycles.
Related Microsimulation Operational Resilience Testing Capability Intelligence
The full landscape
Explore all 45+ frameworks across five tiers

Filter the global regulatory universe by region and requirement type, and open any framework for detail.

Open the directory →

Trusted worldwide by organizations of all sizes

Turn the clause into the evidence

See how iluminr produces audit-ready, regulator-grade evidence of practiced response across every framework you report against.
Book a live demo

iluminr makes capability visible, repeatable, and real. Our platform connects Microsimulations and full-scale exercises into a living system of practice - giving organizations a clear view of where capability lives, where it is lacking, and where to invest next.

Products
Resource Centre
© 2025 iluminr. All rights reserved.
      Privacy Policy
     Terms of use