Frequently Asked Questions

NCSC Cyber Incident Exercising

Frequently Asked Questions about Cyber Incident Exercising Services

For whom is the scheme designed?

All UK organisations are at risk of cyber attack and can improve their cyber resilience by creating and practising an incident response plan. The NCSC’s CIE Industry Assurance scheme was designed to help a wide range of UK businesses, charities, public sector and government organisations who are looking to rehearse, evaluate and improve their cyber incident response plan.

Why should I exercise my cyber response plan?

The frequency and sophistication of cyber attacks have increased to the point that, for most organisations, it is not a case of if, but when an incident will occur. An incident exercise involves not only imagining and planning for the worst, but practising your response plan. A bit like a fire drill, the incident response plan will need to be practised so that if something happens for real one day, everyone knows what to do without panicking.

It is particularly important to exercise cyber incidents which will have a significant impact on your organisation. Typically, these incidents will have the potential for a serious operational, financial, or regulatory impact on your business and can be classified as Category 3, 4 and 5 incidents on the UK’s Cyber Attack categorisation system. Such a cyber incident could be something like an insider threat leading to a data breach or a ransomware attack delivered by phishing email.

A cyber incident exercise could involve just your IT team, or the whole company and may stray into the realms of informing regulators, customers and partners and managing the press. Your incident response plan should cover all of these eventualities, and it is important that you practise who would deal with what and how.

How do I find an Assured Service Provider for CIE to work with my organisation?

You can contact a CIE Assured Service Provider directly. A list of providers can be found here and on the NCSC website.

Alternatively, if you are interested in using Cyber Incident Exercising services and would like more help, please contact our customer services team on 03300 882 752 or email us on [email protected]

How much will it cost for an CIE Assured Service Provider to help me exercise my cyber incident response plan?

The Assured Service Provider will agree pricing directly with you. The pricing typically depends on factors including your type and size of organisation, the type of exercising that you need, and the number of people involved.

Can I ask the CIE Assured Service Provider to help me create a cyber incident response plan?

Of course! Most providers will be very willing to assist you with services related to Incident Exercising such as developing business continuity and incident response plans, security assessments and other services such as responding to incidents when they happen. Please note that these other related services have not been specifically assured by NCSC and are beyond the scope of the NCSC CIE scheme.
You can find additional guidance on creating a cyber incident response plan at the NCSC website.

How often should I rehearse my incident response plan?

It depends on your size and type of organisation, but it would be a good starting point to exercise your plan at least annually using different types of cyber incident scenarios each time.

Frequently Asked Questions for potential Assured Service Providers

Who is eligible to apply to become an Assured Service Provider?

The scheme is open to companies operating with a registered office in the UK and incident exercise staff located physically within the UK.
Applicants will need to be able to send staff to locations within the UK when requested to by a customer. You don’t need to be able to cover the whole of the UK and smaller companies with limited geographical coverage are very welcome to join.

What are the benefits of becoming an Assured Service Provider with IASME?

The benefits include:

  • Your company will be able to demonstrate to clients and partners that you have the experience and capability to meet the NCSC’s strict criteria for Cyber Incident Exercising Providers
  • You will have use of the NCSC Assured Service Provider branding for your website, emails, and promotional materials to demonstrate your capabilities
  • Your company will be promoted as an Assured Service Provider via the NCSC website
  • You will be part of IASME’s community of cyber security organisations, giving you access to member events, webinars, help and support from IASME’s award-winning team of staff

Who uses the services of the scheme?

The scheme is aimed at incidents that fall into category 3, 4 and 5 of the UK’s Cyber Attack categorisation system.

Private sector organisations, charities, local authorities and smaller public sector organisations, and organisations which operate predominantly in the UK are likely to be the main users of the scheme’s services.

What is IASME’s role in the scheme?

IASME is a Delivery Partner operating the scheme on behalf of the NCSC. This means that IASME administers the evaluation and onboarding process for your organisation against the NCSC CIE Technical Standard, as well as assuring quality through the ongoing audit and renewal process. IASME also collates the Management Information that you collect as part of your involvement with the scheme and any feedback from clients and from ASPs on how to continuously improve the service.

IASME is also the Delivery Partner for other NCSC schemes including Cyber Essentials and Cyber Advisor.

What are the costs of becoming an Assured Service Provider?

There is an onboarding fee of £1,100 + VAT. 

There is also an annual license fee that is based on the number of cyber incident exercising engagements you have carried out in the preceding 12 months. The annual licence fee is £750 + VAT plus a charge of £50 + VAT per cyber incident engagement that you have carried out with a client.

For how long does my Assured Service Provider status last?

Your Assured Service Provider status will last for 12 months and is renewed annually.

You will need to complete a short renewal process annually, where you confirm that you still meet the security and quality requirements and that you are still offering appropriate services.

Every three years you will be required to complete a full renewal with a more in-depth reassessment of your company’s capabilities.

Periodic reviews may also take place in the event of changes to the NCSC CIE Technical Standard or scheme requirements.

How long does the assessment process take?

We aim to complete the assessment process within six weeks. This depends on your organisation having all the information, such as case studies and references, available to enter into the online questionnaire in a reasonable timeframe.

What do I need to demonstrate for the assessment?

You must be able to demonstrate that your company can meet all the requirements of the NCSC CIE Technical Standard, including providing relevant case studies and client references.
The NCSC CIE Technical Standard can be found here.

Does my team need any specific skills, experience or certifications?

Your team must have sufficient skills and experience to be able to offer all aspects of the Cyber Incident Exercising service, as outlined in the NCSC CIE Technical Standard. It is not necessary for one person to have all the skills required; the expectation is that in most cases the spread of skills and experience will be across a team of people. You will need to provide evidence that your staff have experience of offering exercising services at the appropriate size of organisation and at a range of levels, and the capabilities and skills to take incident exercising from initial client engagement, through scenario development to conducting the exercise and reporting back.

Importantly, your team will need a Team Lead who has at least three years’ experience of cyber incident exercising in a role where cyber incident exercising for external clients forms a key part of the job. The experience must be of both table-top and live-play exercises for organisationally significant events (as defined by the NCSC CIE Technical Standard).

If you don’t have a suitable Team Lead, there is an alternative route to meet this requirement through our Team Lead test.

This route is open to people with at least one year’s experience of incident exercising in a role where incident exercising for external clients forms a key part of the job.

For more information about the Team Lead test, please contact IASME’s customer services team ([email protected]).