What is a cyber incident response plan?

Dec 6, 2023 | Cyber Incident Exercising

A new Cyber Incident Exercising scheme has been launched by the National Cyber Security Centre (NCSC).

The new Industry Assurance scheme has been created to help organisations practise their response to a cyber attack.

IASME is one of two delivery partners for the scheme and will manage the assessment, onboarding, monitoring and offboarding of providers assured under the Cyber Incident Exercising scheme on behalf of the NCSC. The assurance process confirms that the provider meets the NCSC’s rigorous standards for high quality cyber incident exercising, with sufficient skills and experience of running cyber exercises such as table top and live play exercises.

The scheme is aimed at incidents that fall into category 3, 4 and 5 of the UK’s Cyber Attack categorisation system.

Stacey Lidgate is the Business Development Director and one of the cyber resilience and incidence response experts at CYSIAM. CYSIAM are working with IASME to help deliver the new Cyber Incident Exercising scheme.

Stacey gives us an overview of the main points a cyber incident response plan should cover.

A cyber incident is any activity that has a potentially adverse effect on the availability, confidentiality, or integrity of systems and/or data. This could be accidentally emailing the wrong person, the misconfiguration of a platform to allow unintended access or a targeted cyber attack on an organisation to steal sensitive data

An incident response plan is a documented set of principles and actions, the ‘who, why, what, where, when’, that your organisation will implement in the event of an cyber incident. It specifically considers your reaction to loss of system or data availability, confidentiality or integrity and the steps you need to take to manage the situation and keep your organisation going.

Cyber incident responses need to coordinate people, processes and technical elements to ensure that minimal damage is caused, laws and regulations are followed and the organisation can get back to business-as-usual as quickly as possible.

If you don’t have a cyber incident response plan, the National Cyber Security Centre provide some guidance on their website.  Developing your IR plan Take your team through the “who, why, what, where, when and how” approach to consider and capture the following details:

Critical stakeholders

Define who you’ll need around as part of the response. Make sure that their contacts are easily accessible offline. As a minimum, think about your Incident Response supplier and cyber insurer (if you have them). Make sure that representatives from across the organisation such as  IT, operations, HR, finance and legal are all represented.


Describe how an incident will be escalated to senior teams and who will take the official decision to enter “incident response”.

Roles and responsibilities

Describe the roles and responsibilities that are required throughout the incident (for example that of incident manager), and consider who from the organisation is nominated to do that role. Think about the deputies that would step into a role if the main nominee was unavailable.

The incident lifecycle

Think about the different stages of an incident and the answers that you might need throughout them:


Have you thought through your critical systems and what you rely on every day? for example, email accounts, file storage or sales systems. What would be the impact if you lost those systems? how long could you survive without them and what might your back-up ways of working be?

Who is responsible for investigating your systems and trying to find the cause of the incident?


Who will make your systems safe?


Who is responsible for getting rid of the threat?


Once you have returned to business-as-usual, what steps are you taking to remediate any gaps in your cyber security and strengthen your resilience?


What are the number of ways you have for contacting teams? How will you communicate with staff? Who is responsible for authorising messages? Who is responsible for dealing with any press enquiries and managing external communications or social media queries?

Legal and regulatory responsibilities

What responsibilities do you have for reporting the incident? You may have to consider reporting to the Information Commissioner’s Office  or to the police depending on the severity of the incident.

How often should I rehearse my incident response plan?

It depends on your size and type of organisation, but it would be a good starting point to exercise your plans at least annually using different types of cyber incident scenarios each time.