NCSC Cyber Incident Exercising scheme looks to fine-tune incident response

NCSC logo superimposed with a translucent background in front of an office building
(Image credit: Getty Images)

The National Cyber Security Centre (NCSC) has launched its new Cyber Incident Exercising scheme, with the aim of helping organizations to carry out cyber incident response exercises. 

First announced in August 2023, the scheme involves cyber security not-for-profit CREST and certification organization IASME as the delivery partners for the scheme, managing assessments and bringing the assured exercising service providers on board.

"In some respects, there is no difference between our delivery partners – both will adhere to the NCSC’s strict standards for assessing technical and organizational capability," said Catherine H, NCSC's head of assured professional services schemes, industry assurance.

"However, the model each is using for the processes of onboarding, ongoing management and off-boarding of suppliers is different. Having two delivery partners means potential providers have two routes to apply for membership of the CIR Level 2 scheme and can choose whichever is best for their business."

Inside the NCSC Cyber Incident Exercising scheme

The NCSC Cyber Incident Exercising scheme gives organizations access to approved service providers that will create bespoke, structured table-top or live-play cyber incident exercises. 

It's designed to complement the NCSC’s free Exercise in A Box tool, which allows organizations to test their incident response against a host of generic cyber incident scenarios.

"I’ve often said the first time you try out your cyber incident response plan shouldn’t be on the day you are attacked. So, if you do only one thing on a regular basis, incident exercising should be it," said NCSC director of operations Paul Chichester.

"Exercising in a safe and supportive environment will allow all the relevant teams and individuals to properly understand their roles and maximize their effectiveness during an incident. In turn this will help to minimize harm and improve the resilience of both individual organizations and the UK as a whole."

However, the scheme doesn't cover category 1 and category 2 incidents, as defined by the UK cyber incident categorization system.

Category 1 incidents are national cyber emergencies causing sustained disruption to the UK’s public services or affecting national security, and leading to severe economic and social impacts or deaths.


Red whitepaper cover with title and logo above circular images of colleagues using laptops, and servers

(Image credit: Trend Micro)

Discover how you can protect your business from potential attacks


Meanwhile, Category 2 incidents are those with a 'serious impact' on central government, essential public services, a large proportion of the population, or the economy. In both these cases, there would be a coordinated government response.

Instead, the scheme is designed to simulate incidents that have a significant impact on a single client organization.

According to IASME, the scheme is primarily aimed at private sector organizations, charities, local authorities, and smaller public sector organizations which operate in the UK.

Companies can access services through a portal of approved providers, the NCSC said.

"We are determined that companies of any size can apply to join any of our schemes. We particularly welcome companies located in or serving geographically remote or under-represented areas," the NCSC said.

"Similarly, if your company is working hard to address issues of under-representation in the cyber security workforce, we’d love to see your application."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.