CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme

Cybersecurity membership body CREST and the Information Assurance for Small and Medium Enterprises (IASME) consortium are partnering with the UK National Cyber Security Centre (NCSC) to deliver its new Cyber Incident Exercising (CIE) scheme. The CIE scheme aims to help UK businesses find high-quality service providers that can advise and support them in practising cyber incident response plans.

Organisations wishing to join the CIE scheme will be assessed against the NCSC CIE Standard by CREST and IASME, who will manage the onboarding, monitoring, and offboarding of providers. The CIE scheme will launch fully later this year, with registrations now open for organisations to apply to become assured providers.

CIE scheme assures cyber incident response plan practice providers

The CIE scheme is for organisations providing tailored exercises for client organisations which already have cyber incident response plans in place. Service providers will be assured of two delivery methods, the NCSC wrote.

The first is tabletop exercises - discussion-based sessions where representatives from relevant teams meet to discuss their roles and responsibilities, expected activities, and key decision points in accordance with an incident response plan. Discussion is facilitated by the provider and driven by a prepared cyber incident scenario.

The second is live play exercises, where team members execute their roles and responsibilities in response to controlled injects which represent a given cyber incident scenario. Different participants will typically receive different sets of injects, while activities and decisions happen in close to real-time with the incident pace and timeline governed by an exercise controller. Live play exercises are best suited to mature organisations looking for in-depth validation of plans.

CIE standard covers incidents affecting a single organisation

The scope of the CIE standard covers exercises designed to simulate incidents which have a significant impact on a single client organisation. It does not cover incidents spanning multiple organisations or Category 1 and Category 2 incidents, as defined by the UK cyberattack categorisation system.

"We are really looking forward to working with companies of all sizes and in all areas of the UK to deliver this important scheme," said Dr Emma Philpott MBE, CEO of IASME. "We feel strongly about ensuring that the scheme is accessible for smaller cybersecurity companies to become assured providers."

With rising cyberattacks on enterprises of all types, effective cyber incident response is one of the most important parts of building cyber resilience, added Rowland Johnson, president of CREST.