Frequently Asked Questions

The IASME Consortium

Frequently Asked Questions about Cyber Incident Response Level 2 Services

What is a Cyber Attack?

Cyber attacks can take many forms and according to the NCSC, usually involve:

  • A breach of a system’s security in order to affect its integrity or availability
  • The unauthorised access or attempted access to a system

How would I know if this has happened to me?

An obvious indication of a problem might be an on-screen message demanding a payment which would alert you that your computer is infected with ransomware and your files may have been encrypted. If you have anti-virus software installed on your computer, it may alert you if there is a threat present. Other clues that there maybe a problem could be more subtle. A bit like having a poltergeist within your computer, programs may run extra slowly, they may close down without warning or other apps open up without being instructed. Your device may reboot itself, and pop up boxes appear from programs you don’t recognise asking you to do unexpected things. People may start receiving weird emails from you promoting unlikely products or containing nothing but a suspicious link. Your web site or online services may have crashed and be off line, your passwords have been changed and files, applications or services may have been deleted, changed or cannot be accessed. Far from always being obvious, according to IBM, it can take a company 197 days to discover a breach.

What do I do if I think my organisation has been a victim of a cyber attack?

If your organisation has been the victim of a cyber attack, the NCSC recommend that you check gov.uk/report-cyber to identify where you should report your incident, and https://ncsc.gov.uk/cir-companies to help you to recover from your cyber attack.

Please note, if you have cyber liability insurance, you should first contact your insurance provider as this is often part of the terms of your insurance. If you are a small organisation and have a current Cyber Essentials certificate and you opted in to the included cyber insurance, you can call the 24hr helpline to report a cyber incident.

If you wish to plan and practise your organisation’s response to a cyber incident in a safe environment, you can contact an Assured Service Provider in Cyber Incident Exercising.

Will the CIR provider tell the police or anyone else?

All communication with your CIR provider will be confidential unless you choose otherwise.

(Please note, the ASP will share limited, non-attributable information with the NCSC.)

What is the difference between Cyber Incident Response Level 1 and 2?

The NCSC assures Cyber Incident Response companies at two levels:

CIR Level 2 Assured Services Providers have been assessed as being capable of responding to the types of cyber attack likely to be faced by the majority of UK organisations.

CIR Level 1 Assured Service Providers have been assured to the same standard as Level 2 Providers, and further assessed as capable of providing incident response services to organisations which are likely to face targeted cyber attacks by nation state backed actors.

See the NCSC website for more information on the CIR Scheme.

IASME are Delivery Partners for the CIR Level 2 scheme. If you are an organisation which is part of UK Central Government, the Critical National Infrastructure, or which operates in a regulated sector or more than one country and think you need a CIR Level 1 provider, contact a Level 1  Assured Service Provider directly from the NCSC website.

How much will it cost for an CIR Assured Service Level 2 Provider to help me respond to a cyber incident?

The Assured Service Provider will agree pricing directly with you. The pricing typically depends on factors including your type and size of organisation and the type and scale of incident you are dealing with.

Frequently Asked Questions for potential Assured Service Providers

Who is eligible to join this scheme?

Companies operating with a registered office in the UK and incident response staff located physically within the UK.

You will need to submit information to demonstrate your organisation’s compliance with the NCSC’s CIR Level 2 Technical Standard.

The NCSC expects its Cyber Incident Response Assured Service Providers to be able to:

  • Understand the capabilities and behaviours of threat actors
  • Determine the extent of an incident on enterprise networks
  • Ensure that the immediate impact is managed as rapidly and effectively as possible
  • Provide suitable recommendations to remediate the compromise and increase security across the victim’s network
  • Produce an incident report including, at minimum: a full description of the scope of the problem, the technical impact, mitigation activities and an assessment of business impact
  • Give an Impact Assessment which can be used by the victim to explain the incident to other parties (partners, regulators or customers)

Who uses the services of this scheme?

Service Providers which are assured to the CIR Level 2 standard are expected to have the capability to support cyber incident response for most private sector organisations, charities, local authorities, smaller public sector organisations and organisations that predominantly operate in the UK.

What do I get as a scheme member?

  • Your company will be able to demonstrate to clients and partners that you have the experience and capability to meet the NCSC’s strict criteria for Cyber Incident Response Level 2 Providers
  • You will have use of the NCSC Assured Service Provider branding for your website, emails, and promotional materials to demonstrate your capabilities
  • Your company will be promoted as an Assured Service Provider via the NCSC website
  • You will be part of IASME’s community of cyber security organisations, giving you access to member events, webinars, help and support from IASME’s award-winning team of staff

What are the costs to be a CIR Assured Service Provider?

There is an onboarding fee of £1,100 + VAT.

There is also an annual license fee of £1,100 + VAT.

What is IASME's role in the scheme?

IASME is a Delivery Partner operating the scheme on behalf of the NCSC. This means that IASME administers the evaluation and onboarding process for your organisation against the NCSC CIR Level 2 Technical Standard, as well as assuring quality through the ongoing audit and renewal process. IASME also collates the Management Information that you collect as part of your involvement with the scheme and any feedback from clients and from ASPs on how to continuously improve the service.

IASME is also the Delivery Partner for other NCSC schemes including Cyber Essentials, Cyber Advisor and Cyber Incident Exercising.

For how long does my Assured Service Provider status last?

Your Assured Service Provider status will last for 12 months and is renewed annually.

You will need to complete a short renewal process annually, where you confirm that you still meet the security and quality requirements and that you are still offering appropriate services.

Every three years you will be required to complete a full renewal with a more in-depth reassessment of your company’s capabilities.

Periodic reviews may also take place in the event of changes to the NCSC CIR Level 2 Technical Standard or scheme requirements.

How long does the assessment process take?

The assessment process will be concluded within 6 weeks of a completed submission, subject to any feedback and resubmissions.

What do I need to demonstrate for the assessment?

You must be able to demonstrate that your company can meet all the requirements of the NCSC CIR Level 2 Technical Standard, including providing relevant case studies and client references.

The NCSC CIR Level 2 Technical Standard can be found here.

Does my team need any specific skills, experience or certifications?

Your team must have sufficient skills and experience to be able to offer all aspects of the Cyber Incident Response Level 2 service, as outlined in the NCSC CIR Level 2 Technical Standard. It is not necessary for one person to have all the skills required; the expectation is that in most cases the spread of skills and experience will be across a team of people. You will need to provide evidence that your staff have experience of offering response services at the appropriate size of organisation.

Importantly, your team will need a Team Lead who has relevant experience of cyber incident response. The team lead must either have and be able to evidence at least two years’ experience as an Incident Responder and hold one of the following incident response certifications:
  • GIAC Certified Incident Handler (GCIH)
  • CREST Registered Intrusion Analyst (CR IA)
  • eLearnSecurity Certified Digital Forensics Professional (ECDFP)
  • EC-Council Certified Incident Handler (ECIH)
Or
  • Have and be able to evidence at least three year’s experience as an Incident Responder