Buying & Building Cyber Services icon
Back
Membership & Accreditation icon
Back
Skills, Certifications & Careers icon
Back
News, Events & Research icon
Back
About Us icon
Back
Login to profile
Join Today Find a Supplier

NCSC Cyber Incident Response Level 2 Scheme

Home  »  NCSC Cyber Incident Response Level 2 Scheme

NCSC CIR L2 Delivery Partner Logo

What is the NCSC CIR L2 scheme?

The NCSC recommends that all UK organisations should use an NCSC-assured Cyber Incident Response provider  when dealing with cyber incidents. This includes, but is not limited to, businesses from small, local companies to large, multinational organisations, central and local government, and charities.

The NCSC assures Cyber Incident Response companies at two levels:

CIR Level 2 Assured Services Providers have been assessed as being capable of responding to the types of cyber attack likely to be faced by the majority of UK organisations.

CIR Level 1 Assured Service Providers have been assured to the same standard as Level 2 Providers, and further assessed as capable of providing incident response services to organisations which are likely to face targeted cyber attacks by nation state backed actors.

See the NCSC website for more information on the CIR Scheme.

How does my Company join the NCSC CIR L2 scheme?

Applications are open to companies regardless of their membership with CREST.

Applications are completed via the CREST Membership Application Portal and reviewed by CREST using criteria agreed with the NCSC.

You should familiarise yourself with the NCSC CIR L2 Technical Standard before starting the application process: https://www.ncsc.gov.uk/information/cir-l2-standard

If you are ready to start the process, please contact: [email protected]

How do I procure NCSC CIR L2 services?

To find an Assured Service Provider, you can:

NCSC Cyber Incident Response Level 2 Scheme FAQs

Who is eligible to join this scheme?

Companies operating with a registered office in the UK and incident response staff located physically within the UK.

Companies will also need to be able to deploy staff to all locations within the UK when requested to by a target organisation.

What do I get as a scheme member?

  • Membership of a select group of companies that have proven their capabilities against the NCSC CIR L2 Technical Standard
  • Exclusive use of the NCSC CIR L2 Assured Service Provider branding
  • Third party independent assurance of your competence against the NCSC CIR L2 Technical Standard
  • Your company promoted as an Assured Service Provider via the NCSC Website
  • Your company promoted as an Assured Service Provider via the CREST Website*
  • Invitation to NCSC CIR L2 Assured Service Provider Only Community Events
  • Incident Response insights from the NCSC
  • Opportunities to collaborate with industry peers and other incident response service providers
  • Scheme promotion and marketing, raising the profile and awareness of Assured Service Providers

*CREST Members will also be promoted via the CREST Find a Supplier functionality.

Who will use the services of the scheme?

Private sector organisations, charities, Local Authorities and smaller public sector organisations, and organisations which operate predominantly in the UK.

How much does the scheme cost?

For non-CREST members there is an annual cost of £1,200.00.*

For existing CREST members who hold the CREST CSIR accreditation, there is no additional cost to become a member of the scheme.

For existing CREST members who do not hold the CREST CSIR accreditation, there is a one-off application cost of £1,200.00.

*To help support an increase in capacity and capability discounts are available to Micro-business with an annual revenue of less than £500,000.00. If you think you are eligible for this, please contact [email protected] for more details.

Do I have to be a CREST Member to join the scheme?

No, CREST membership is not required to join the scheme.

What is CREST's role in the scheme?

CREST is a Delivery Partner operating the scheme on behalf of the NCSC.

How long does my Assured Service Provider status last?

Your Assured Service Provider status will last for 12 months and is renewed annually.

You will need to carry out a refresher renewal annually with a full renewal every 3 years.

Periodic reviews may also take place in the event of changes to the NCSC CIR L2 Technical Standard.

How long does the Assessment process take?

The assessment process will be concluded within 6 weeks of a completed submission, subject to any feedback and resubmissions.

What do I need to demonstrate for the assessment?

You will be asked to provide a response to questions designed to assess your company, employees and the governance around delivering Cyber Incident Response Services.

This includes elements such as, but not limited to:

  • Evidence of compliance to the NCSC CIR L2 Technical Standard
  • Company Details
  • Company Insurances
  • Policies and procedures related to HR and training
  • Information security management
  • Quality Management
  • Complaint handling
  • Governance around service delivery
  • Employee skill, knowledge, and experience

What is the NCSC CIR L2 Technical Standard?

The NCSC CIR L2 Technical Standard outlines the standard required of Assured Service Providers when delivering incident response services to Target Organisations.

References to the standard are contained within the application form, and therefore you should familiarise yourself with the content.

The NCSC CIR L2 Technical Standard is available on the NCSC Website:  https://www.ncsc.gov.uk/information/cir-l2-standard

Does my team need any specific skills, experience, or certifications?

Your team will need a team lead who has an appropriate level of experience in leading Incident Response engagements.

Initially this will not be tied to a particular examination or certification, but instead a holistic review of the skills, experience, and competence of the individual via the CREST Skilled Person Register.

For example, has five years’ worth of experience leading external incident response engagements.

We are an existing CREST member how do we apply for the scheme?

Applications can be started using the CREST Membership Application Portal, access to this is typically granted to the person who initially completed your application to join CREST.

If you are unsure of who this person is, please contact [email protected] for further guidance.

We are not an existing CREST member how do we apply for the scheme?

Applications can be started using our online portal, known as the CREST Membership Application Portal. An account can be created for you to facilitate your application.

Please contact [email protected] to get started.

We are not an existing CREST member, can we join CREST as part of the process?

Yes, you can opt to join CREST as part of the process.

If successful, you will also be granted the CREST CSIR Accreditation in addition to Assured Service Provider status with the NCSC.

To find out more please contact [email protected]

How do I procure NCSC CIR L2 services, and check who is an assured provider?

You can view the CREST-approved Assured Service Providers here and learn more from each company’s profile: Assured Service Providers

 

You can also find a list of NCSC assured providers via the CIR scheme Find a provider page or the main Verify suppliers search on the NCSC website.