National Cyber Security Centre
The NCSC's Cyber Incident Response scheme has earned a reputable status for its role in aiding organisations grappling with cyber attacks. Carl Court/Getty Images

The National Cyber Security Centre (NCSC) has unveiled a significant update to its established Cyber Incident Response (CIR) scheme today, introducing a new tiered system aimed at providing enhanced incident response services to a broader range of organisations across the United Kingdom.

Effective immediately, companies approved to offer CIR services will be categorised as either Level 1 or Level 2 providers. This strategic alteration is expected to facilitate an increased number of companies in delivering top-notch incident response services to a wider spectrum of victim organisations situated throughout the UK.

The NCSC's Cyber Incident Response scheme has earned a reputable status for its role in aiding organisations grappling with cyber attacks. It functions by aiding these associations in identifying trustworthy providers of commercial incident response services. These approved companies extend valuable support to organisations in their efforts to investigate, recuperate from cyber attacks and offer insights on fortifying their defences against future threats.

Historically, the CIR scheme has concentrated on endorsing companies capable of delivering incident response services to institutions operating networks deemed nationally significant, such as central government bodies, critical national infrastructure (CNI) entities and regulated industries. This emphasis was prompted by the heightened risk of intricate, targeted attacks instigated by nation-state actors that these organisations typically face.

Level 1 Assured Service Providers within the new framework are equipped to manage a wide spectrum of cyber incidents for all types of institutions. The NCSC particularly encourages entities operating networks of national importance to engage with a Level 1 service provider in the event of a cyber attack. This recommendation is especially pertinent in cases of suspected highly sophisticated attacks.

Level 2 companies, on the other hand, have been evaluated to possess the competence necessary to aid most organisations in the face of common cyber attacks like ransomware. This category encompasses private sector firms outside of CNI sectors, charitable institutions, local government bodies and smaller public sector institutions.

Discussing the revamped scheme, Chris Ensor, Deputy Director of Cyber Growth at the NCSC, expressed his contentment, saying: "Falling victim to a cyber attack is really stressful. Finding someone with the skills and knowledge to help can also be hard, if, like many, you are not familiar with the cyber security world..."

Ensor continued: "I am really pleased that we can now assure a similar service for any organizations affected by criminal threat actors, a service that will be good enough for the majority of incidents that smaller organisations face. The NCSC badge will give confidence that the company they use has the right expertise to help them."

Understanding the NCSC Assured Cyber Incident Response Scheme

The NCSC's Assured Cyber Incident Response (CIR) scheme serves as a hallmark of quality assurance for cyber incident response services. Companies endorsed by the NCSC through this scheme provide invaluable assistance to organisations that have fallen prey to cyber-attacks.

Cyber attacks, manifesting as denial of service, malware, ransomware, or phishing attacks, are defined by the NCSC as unauthorised access or attempted access to a system with the intent to breach its security policy and impact its integrity or availability.

The framework operates by subjecting scheme members, referred to as CIR Assured Service Providers (ASP), to assessments validating their capacity to deliver incident response services aligned with the NCSC's rigorous CIR Technical Standards. These CIR Assured Service Providers then extend support to organisations grappling with cyber incidents, encompassing the investigation of the incident and the provision of recommendations to thwart future occurrences.

In the event of a cyber attack, the NCSC suggests referring to GOV.UK to determine the appropriate reporting procedure. Additionally, organisations can consult the Find an Assured CIR Provider section to identify a CIR company capable of aiding in the recovery process.

Scope of the Scheme

The NCSC advises all organisations in the UK to engage with a CIR Assured Service Provider when addressing cyber incidents. The CIR scheme features two levels, CIR Level 1 and CIR Level 2, each characterised by its distinct Technical Standard.

CIR Level 1 is geared towards organisations that are at risk of complex and targeted cyber attacks. Entities that fall within this category are likely to meet one or more of the following criteria:

  • Form part of the UK central government
  • Partake in Critical National Infrastructure (CNI)
  • Operate within regulated sectors
  • Have a presence across multiple countries
  • Face heightened risk from nation-state-backed attackers

All Level 1 Assured Service Providers possess the capacity to manage various types of cyber incidents across different types of organisations.

Meanwhile, CIR Level 2 addresses organisations that are more susceptible to common cyber attacks. This encompasses a broad spectrum of entities including private sector businesses, charitable organisations, local government bodies and smaller public sector institutions.

Read more