Shared Service Centrum ONS (SSC-ONS) is a partnership between six municipalities and the province of Overijssel. From its base in Zwolle, Ons delivers shared services in IT, HR and procurement. Within that IT service delivery, cybersecurity and crisis management are key responsibilities: a hack at Ons directly affects multiple government organisations and the citizens they serve.
The challenge
On paper, Ons had its crisis organisation well set up, with a split between an operational/tactical IT component and a strategic component. What was missing was a realistic test of that structure. Strategic-level exercises had been run before, but the IT side had never worked through a realistic scenario together. That left an open question: would the structure on the IT side actually hold up in practice? Are the roles right, do the communication lines between teams work, and are decisions genuinely made under pressure?
On top of that, Noor Felix, ICT Continuity Manager and Privacy Officer at Ons, deliberately wanted to bring in an external party. Internally, there was little experience with setting up large-scale crisis exercises, and an outside perspective was exactly what was needed to expose what the current approach was still missing.
Objectives:
Ons was looking for an exercise that would help:
- test the existing IT crisis structure (operational and tactical) under realistic conditions;
- put the collaboration and communication within the operational/tactical IT team to the test;
- sharpen roles, mandates and decision-making, particularly under time pressure;
- generate concrete learning points to be developed further in a follow-up programme of role training and partner exercises.
Why CCRC?
Noor had previously taken part in a joint CCRC exercise for municipal policy officers, so she already knew CCRC. When Ons started looking for an external partner for its first truly realistic exercise, the step to CCRC was an easy one. The deciding factors were the trainers' hands-on experience, their structured way of working, and their willingness to make the scenario genuinely fit the Ons context.
The approach
CCRC and Ons worked closely together on the preparation. The scenario was built around systems, applications and staff that genuinely exist within Ons, so it stayed recognisable for everyone at the table. The simulation started small, with a functional administrator whose laptop was compromised, and escalated step by step to a critical application for physical access management, including implications for the data centre.
On the day itself, the focus was on testing the operational/tactical IT team, with CCRC acting as the response cell at strategic level to keep the scenario running realistically. Across three rounds, roles, communication lines and decision-making were put under pressure one after the other. CCRC then ran the evaluation, bringing observations from the rounds and participants' experiences together in a structured way.
The result
The exercise gave Ons exactly what the organisation was looking for: a realistic test of its own crisis structure, with concrete learning points. The foundation turned out to be solid, and at the same time it became clear where work still needs to be done, particularly around decision-making under time pressure. Teams sometimes stayed in an "information loop" too long before actually making calls.
Something else became visible too: engagement across the organisation was strong. Afterwards, a group of managers and technical staff stayed behind for more than an hour to talk about what could be better and what the next step should be. That momentum is exactly what Ons needed to push crisis management further internally.
De follow-up
For the rest of the year, role-specific training sessions are planned, focused on sharpening the chair and logger roles in particular. Alongside that, Ons is working on an internal training module so that everyone in the crisis organisation speaks the same language. At the end of the year, a follow-up exercise will take place, this time together with one of the partner municipalities.
The aim: test the wider chain as well, and bring the mandates that were agreed a few years ago back into focus. The ambition for the next twelve months is clear: not just being better prepared internally, but also taking real steps in cyber resilience together with partners.