In a significant move to bolster the UK's cyber resilience, CREST and IASME have announced a collaborative partnership with the National Cyber Security Centre (NCSC) to roll out a new Cyber Incident Exercising (CIE) scheme. The initiative aims to assist organisations in identifying top-tier providers who can guide and support them in practising their cyber incident response plans effectively.

The importance of rehearsing a cyber incident response plan cannot be overstated. "While practice might not make perfect, it does build resilience," the partnership emphasised. Organisations that regularly test their incident response plans are better equipped to handle cyber attacks and can recover more swiftly compared to those that don't.

The CIE scheme will operate under the NCSC CIE Standard, and both CREST and IASME will oversee the assessment, onboarding, monitoring, and offboarding of providers assured under this scheme. "The organisations were selected for this role because they both meet the NCSC’s high standards and offer a choice for potential providers and different routes into the scheme," the press release stated.

Dr Emma Philpott MBE, CEO of IASME, expressed her enthusiasm for the partnership: "We are really looking forward to working with companies of all sizes and in all areas of the UK to deliver this important scheme. We feel strongly about ensuring that the scheme is accessible for smaller cyber security companies to become assured providers and we encourage you to contact us to discuss becoming a provider if this is something that interests you."

Rowland Johnson, President at CREST, also highlighted the critical nature of the scheme: "We are delighted to be helping deliver this important new scheme for the NCSC by assessing and onboarding Assured Service Providers. With rising cyber attacks on enterprises of all types, effective cyber incident response is one of the most important parts of building cyber resilience. This will give all organisations who want to test their incident response, access to Assured Service Providers who can support them."

The CIE scheme will offer two types of cyber exercises to organisations. The first is 'Table-Top,' which are discussion-based sessions where participants discuss their roles, responsibilities, and key decision points in relation to a pre-agreed scenario. The second is 'Live-Play,' which are more in-depth sessions where participants enact their roles and responsibilities in real-world cyber scenarios. These exercises are tailored to the organisation and occur in close to real-time, offering a realistic simulation of a cyber event.

The scheme is designed to cover incidents that have a significant impact on a single client organisation and does not extend to incidents affecting multiple organisations or those categorised as Category 1 and Category 2 incidents under the UK’s Cyber Attack categorisation system.

The official launch of the new CIE scheme is slated for later this year, once the exercising providers have been assured and onboarded, making them ready to offer services. This partnership marks a significant step in the UK's ongoing efforts to fortify its cyber defences and resilience.