NCSC Cyber Incident Response Level 2:
Frequently Asked Questions

Cyber attacks can take many forms and according to the NCSC, usually involve:

• A breach of a system’s security in order to affect its integrity or availability
• The unauthorised access or attempted access to a system

Other clues that there maybe a problem could be more subtle. A bit like having a poltergeist within your computer, programs may run extra slowly, they may close down without warning or other apps open up without being instructed. Your device may reboot itself, and pop up boxes appear from programs you don’t recognise asking you to do unexpected things. People may start receiving weird emails from you promoting unlikely products or containing nothing but a suspicious link. Your web site or online services may have crashed and be off line, your passwords have been changed and files, applications or services may have been deleted, changed or cannot be accessed.

Far from always being obvious, according to IBM, it can take a company 197 days to discover a breach.

If your organisation has been the victim of a cyber attack, the NCSC recommend that you check gov.uk/report-cyber to identify where you should report your incident, and https://ncsc.gov.uk/cir-companies to help you to recover from your cyber attack.

Please note, if you have cyber liability insurance, you should first contact your insurance provider as this is often part of the terms of your insurance. If you are a small organisation and have a current Cyber Essentials certificate and you opted in to the included cyber insurance, you can call the 24hr helpline to report a cyber incident.

If you wish to plan and practise your organisation’s response to a cyber incident in a safe environment, you can contact an Assured Service Provider in Cyber Incident Exercising.

All communication with your CIR provider will be confidential unless you choose otherwise.

(Please note, the ASP will share limited, non-attributable information with the NCSC.)

CIR Level 2 Assured Services Providers have been assessed as being capable of responding to the types of cyber attack likely to be faced by the majority of UK organisations.

CIR Level 1 Assured Service Providers have been assured to the same standard as Level 2 Providers, and further assessed as capable of providing incident response services to organisations which are likely to face targeted cyber attacks by nation state backed actors.

See the NCSC website for more information on the CIR Scheme.

IASME are delivery partners for the CIR Level 2 scheme. If you are an organisation which is part of UK central government, the Critical National Infrastructure, or which operates in a regulated sector or more than one country and think you need a CIR Level 1 provider, contact a Level 1  Assured Service Provider directly from the NCSC website.

The Assured Service Provider will agree pricing directly with you. The pricing typically depends on factors including your type and size of organisation and the type and scale of incident you are dealing with.

Companies operating with a registered office in the UK and incident response staff located physically within the UK.

You will need to submit information to demonstrate your organisation’s compliance with the NCSC’s CIR Level 2 Technical Standard.

The NCSC expects its Cyber Incident Response Assured Service Providers to be able to:

·       Understand the capabilities and behaviours of threat actors

·       Determine the extent of an incident on enterprise networks

·       Ensure that the immediate impact is managed as rapidly and effectively as possible

·       Provide suitable recommendations to remediate the compromise and increase security across the victim’s network

·       Produce an incident report including, at minimum: a full description of the scope of the problem, the technical impact, mitigation activities and an assessment of business impact

·       Give an Impact Assessment which can be used by the victim to explain the incident to other parties (partners, regulators or customers)

Service Providers which are assured to the CIR Level 2 standard are expected to have the capability to support cyber incident response for most private sector organisations, charities, local authorities, smaller public sector organisations and organisations that predominantly operate in the UK.

• Your company will be able to demonstrate to clients and partners that you have the experience and capability to meet the NCSC’s strict criteria for Cyber Incident Response Level 2 providers.
• You will have use of the NCSC Assured Service Provider branding for your website, emails, and promotional materials to demonstrate your capabilities. You will also receive a digital badge carrying the same branding that can be used by clients to verify your continued membership of the scheme.
• Your company will be promoted as an Assured Service Provider via the NCSC website.
• You will also be part of IASME’s community of cyber security organisations, giving you access to member events, webinars, help and support from IASME’s award-winning team of staff.

There is an onboarding fee of £1,100 + VAT.

There is also an annual license fee of £1,100 + VAT.

IASME is a Delivery Partner operating the scheme on behalf of the NCSC. This means that IASME administers the evaluation and onboarding process for your organisation against the NCSC CIR Level 2 Technical Standard, as well as assuring quality through the ongoing audit and renewal process. IASME also collates the Management Information that you collect as part of your involvement with the scheme and any feedback from clients and from ASPs on how to continuously improve the service. 

IASME is also the Delivery Partner for other NCSC schemes including Cyber Essentials, Cyber Advisor and Cyber Incident Exercising.

Your Assured Service Provider status will last for 12 months and is renewed annually.

You will need to complete a short renewal process annually, where you confirm that you still meet the security and quality requirements and that you are still offering appropriate services.

Every three years you will be required to complete a full renewal with a more in-depth re-assessment of your company’s capabilities.

Periodic reviews may also take place in the event of changes to the NCSC CIR Level 2 Technical Standard or scheme requirements. 

The assessment process will be concluded within 6 weeks of a completed submission, subject to any feedback and resubmissions.

The NCSC CIR Level 2 Technical Standard can be found here

Your team must have sufficient skills and experience to be able to offer all aspects of the Cyber Incident Response Level 2 service, as outlined in the NCSC CIR Level 2 Technical Standard. It is not necessary for one person to have all the skills required; the expectation is that in most cases the spread of skills and experience will be across a team of people. You will need to provide evidence that your staff have experience of offering response services at the appropriate size of organisation.

Importantly, your team will need a Team Lead who has relevant experience of cyber incident response. The team lead must either: 

• Have and be able to evidence at least two years’ experience as an Incident Responder and hold one of the following incident response certifications:
• GIAC Certified Incident Handler (GCIH)
• CREST Registered Intrusion Analyst (CR IA)
• eLearnSecurity Certified Digital Forensics Professional (ECDFP)
• EC-Council Certified Incident Handler (ECIH)

Or

• Have and be able to evidence at least three year’s experience as an Incident Responder