IASME and CREST are the two Delivery Partners for the NCSC Cyber Incident Exercising scheme. The scheme is designed to help organisations that already have cyber incident response plans in place. It enables them to find an assured provider to help them test and make improvements before a cyber attack occurs.
IASME and CREST manage the assessment, onboarding, monitoring and offboarding of providers assured under the scheme on behalf of the NCSC.
Preparing to respond to Cyber Incidents
The frequency and sophistication of cyber attacks have reached a point where it is no longer a question of if an incident will occur, but when. To be prepared, organisations must not only develop a robust response plan but also practise that plan—much like conducting a fire drill.
This process of practising a response plan is known as “exercising.” It is particularly critical to exercise responses to cyber incidents that could have a significant operational, financial, regulatory or reputational impact on your organisation. Such incidents might include a data breach caused by an internal security lapse or a ransomware attack delivered via a phishing email.
These scenarios could involve just your IT team or require a coordinated response across the entire organisation, including informing regulators, customers, and partners, as well as managing media communications.
The NCSC advises organisations that have been the victim of a cyber attack to report the incident to the appropriate bodies, such as Action Fraud, NCSC and ICO. An online tool is available to help you identify the appropriate organisations to report the incident to. It’s worth noting that if you have cyber liability insurance, it is often part of the terms of your insurance that, in the case of an incident, you contact your insurance provider as soon as possible.
Just as drivers often have a membership with an emergency break-down service, many organisations establish a relationship with an incident responder before they actually need them. It’s a good idea to identify an Assured Service Provider that you would call if you needed help responding to an incident.
Your incident response plan should cover all of these eventualities, and it is important that you practise who would deal with what and how.
Organisations that have good incident response plans that are regularly rehearsed and reviewed are best placed to respond to cyber attacks and can get back up and running again quicker than those without.
Why Should You Have a Cyber Incident Response Plan?
Planning and preparing for cyber incidents ensures that organisations can respond in a coordinated and controlled manner during high-stress situations. While it’s impossible to predict every potential cyber incident, practising your response builds “cyber muscle memory,” reducing the element of surprise in an emergency. Many mistakes during incident responses stem from issues with command, control, and communication. By stress-testing your plans through regular exercises, you create a safe environment to identify weaknesses and make continuous improvements.
A Cyber Incident Response Plan (CIRP) is essential for managing and recovering from cyber security incidents. It enables rapid detection and containment of threats, minimising damage to systems, sensitive data, and business operations. A CIRP helps maintain business continuity, reduces downtime, and mitigates financial and reputational losses.
Beyond risk mitigation, a CIRP supports compliance with legal and regulatory requirements, such as GDPR/DPA 2018, and demonstrates a proactive commitment to security, which can enhance stakeholder confidence. Clear communication protocols within the plan ensure timely updates to employees, customers, and regulators, while proper documentation facilitates legal and forensic investigations. Regularly exercising and updating the plan ensures it remains effective against evolving threats, making it a cornerstone of a resilient and secure operational framework.
Incident response plans must integrate people, processes, and technical elements to minimise damage and restore normal operations as quickly as possible. Getting started can be as simple as dedicating time in a team meeting to ask, “What would we do if we were hit by a cyber incident?” Use the “who, why, what, where, when, how” framework to guide the discussion and document your findings. The NCSC website offers guidance on creating a cyber incident response plan.
How Do You Exercise a Cyber Incident Response Plan?
Exercising a cyber incident response plan is essential to ensure its effectiveness during a real incident. Regular exercising helps identify weaknesses, enhance team preparedness, improve response times, and adapt to evolving cyber threats. It also ensures compliance with regulations and demonstrates a commitment to robust cyber security practices.
To get familiar with how to carry out cyber exercising, the NCSC provides a free tool called ‘Exercise in a Box’ which allows teams to work through various scenarios to test and validate their plans. The next step is to collaborate with an experienced professional assured under the NCSC’s Cyber Incident Exercising (CIE) scheme.
An Assured Service Provider can design and facilitate tailored exercises, ranging from discussion-based tabletop scenarios to more in-depth, technically simulated live-play exercises. These exercises are customised to reflect the unique size, characteristics, and requirements of your organisation.
Cyber Incident Exercise Providers leverage their expertise and knowledge of up-to-date threat intelligence to craft realistic attack scenarios that align with your organisation’s sector, technologies, and people. These scenarios help you practise and refine your incident response capabilities in a hands-on manner, ensuring your team is better prepared to handle real cyber threats.
How Much Will It Cost?
The cost of working with an Assured Service Provider will depend on several factors, including the size and type of your organisation, the type of exercising you require, and the number of people involved. Pricing is agreed directly between your organisation and the provider, ensuring flexibility to meet your specific needs.
How Do I Find an Assured Service Provider for CIE to Work with My Organisation?
The NCSC’s Cyber Incident Exercising (CIE) scheme is designed to help a wide range of UK businesses, charities, public sector organisations, and government bodies rehearse, evaluate, and improve their cyber incident response plans.
To find an NCSC Assured Cyber Incident Exercising provider, visit the NCSC website, where you can access a list of approved providers. These providers have been rigorously assessed by IASME and CREST to ensure they meet the highest standards of expertise and professionalism.
By working together as Delivery Partners for the NCSC’s Cyber Incident Exercising scheme, IASME and CREST are committed to helping organisations across the UK build stronger, more resilient defences against cyber threats.
Find a list of NCSC Assured Cyber Incident Exercising providers here.