NCSC Cyber Incident Exercising:
Frequently Asked Questions

All UK organisations are at risk of cyber attack and can improve their cyber resilience by creating and practising an incident response plan. The NCSC’s CIE Scheme is aimed at helping a wide range of UK businesses, charities, public sector and government organisations who are looking to rehearse, evaluate and improve their cyber incident response plans.

You can contact a CIE Assured Service Provider directly. A list of providers can be found here and on the NCSC website.

Alternatively, if you are interested in using Cyber Incident Exercising services and would like more help, please contact our customer services team on [email protected] or call 03300 882 752.

The Assured Service Provider will agree pricing directly with you. The pricing typically depends on factors including your type and size of organisation, the type of exercising that you need, and the number of people involved.

Of course! Most providers will be very willing to assist you with services related to Incident Exercising such as developing business continuity and incident response plans, security assessments and other services such as responding to incidents when they happen. Please note that these other related services have not been specifically assured by NCSC and are beyond the scope of the NCSC CIE scheme.
You can find additional guidance on creating a cyber incident response plan at the NCSC website.

It depends on your size and type of organisation, but it would be a good starting point to exercise your plans at least annually using different types of cyber incident scenarios each time.

The scheme is open to companies operating with a registered office in the UK and incident exercise staff located physically within the UK.
Applicants will need to be able to send staff to locations within the UK when requested to by a customer. You don’t need to be able to cover the whole of the UK and smaller companies with limited geographical coverage are very welcome to join.

·        Your company will be able to demonstrate to clients and partners that you have the experience and capability to meet the NCSC’s strict criteria for Incident Exercising providers.

·        You will have use of the NCSC Assured Service Provider branding for your website, emails, and promotional materials to demonstrate your capabilities. You will also receive a digital badge carrying the same branding that can be used by clients to verify your continued membership of the scheme.

·        Your company will be promoted as an Assured Service Provider via the IASME and NCSC websites.

·        You will also be part of IASME’s community of cyber security organisations, giving you access to member events, webinars, help and support from IASME’s award-winning team of staff.

The scheme is aimed at incidents that fall into category 3, 4 and 5 of the UK’s Cyber Attack categorisation system.

Private sector organisations, charities, Local Authorities and smaller public sector organisations, and organisations which operate predominantly in the UK are likely to be the main users of the scheme’s services.

IASME is a Delivery Partner operating the scheme on behalf of the NCSC. This means that IASME administers the evaluation and onboarding process for your organisation against the NCSC CIE Technical Standard, as well as assuring quality through the ongoing audit and renewal process. IASME also collates the Management Information that you collect as part of your involvement with the scheme and any feedback from clients and from ASPs on how to continuously improve the service.

IASME is also the Delivery Partner for other NCSC schemes including Cyber Essentials and Cyber Advisor.

There is an onboarding fee of £1,100 + VAT. 

There is also an annual license fee that is based on the number of cyber incident exercising engagements you have carried out in the preceding 12 months. The annual licence fee is £750 + VAT plus a charge of £50 + VAT per cyber incident engagement that you have carried out with a client.

Your Assured Service Provider status will last for 12 months and is renewed annually.

You will need to complete a short renewal process annually, where you confirm that you still meet the security and quality requirements and that you are still offering appropriate services.

Every three years you will be required to complete a full renewal with a more in-depth re-assessment of your company’s capabilities.

Periodic reviews may also take place in the event of changes to the NCSC CIE Technical Standard or scheme requirements.

We aim to complete the assessment process within six weeks. This depends on your organisation having all the information, such as case studies and references, available to enter into the online questionnaire in a reasonable timeframe.

You must be able to demonstrate that your company can meet all the requirements of the NCSC CIE Technical Standard, including providing relevant case studies and client references.

The NCSC CIE Technical Standard can be found here.

Your team must have sufficient skills and experience to be able to offer all aspects of the Cyber Incident Exercising service, as outlined in the NCSC CIE Technical Standard. It is not necessary for one person to have all the skills required; the expectation is that in most cases the spread of skills and experience will be across a team of people. You will need to provide evidence that your staff have experience of offering exercising services at the appropriate size of organisation and at a range of levels, and the capabilities and skills to take incident exercising from initial client engagement, through scenario development to conducting the exercise and reporting back.

Importantly, your team will need a Team Lead who has at least three years’ experience of cyber incident exercising in a role where cyber incident exercising for external clients forms a key part of the job. The experience must be of both table-top and live play exercises for organisationally significant events (as defined by the NCSC CIE Technical Standard).

If you don’t have a suitable Team Lead, there is an alternative route to meet this requirement through our Team Lead test.

This route is open to people with at least one year’s experience of incident exercising in a role where incident exercising for external clients forms a key part of the job.

For more information about the Team Lead test, please contact IASME’s customer services team ([email protected]).