Regions icon
Membership icon
Certification icon

CREST Certified Incident Manager

CREST Certified Incident Manager

The National Cyber Security Strategy sets a strategic objective of making the UK more resilient to cyber attacks.  Such attacks can vary in terms of persistence, sophistication and impact.  In order to assist organisations with their response to a potential compromise, there is a twin track approach for the provision of certified Cyber Incident Response services.

A broad-based scheme focused on maintaining an appropriate standard for incident response, managed by an industry professional body, delivered by industry and endorsed by CESG and CPNI.  This scheme is currently administered by CREST and is known as the CREST Certified Incident Response Scheme (CSIR)
A small focused Government run Cyber Incident Response (CIR) scheme certified by CESG and CPNI. Industry partners deliver services that are focused on responding to sophisticated targeted cyber attacks against networks of national significance.

From August 2015, the UK Government will require that companies providing Cyber Incident Response services within the terms of the CESG/CPNI CIR scheme, have at least one qualified CREST Certified Incident Manager on their team.  The CIR scheme is certified by CESG and CPNI to deliver a focused service dealing with sophisticated, targeted attacks on networks of national significance.

The Cyber Security Incident Manager
An Incident Manager will determine the path an investigation should take based on considerable real world incident handling experience and the pertinent information currently available.  As greater information becomes available, it is their responsibility to continuously re-evaluate the situation and make any necessary changes from minor course corrections to a total change in direction if that is required.  To stay in control of a rapidly changing situation requires strong leadership and interpersonal skills as well as sufficient technical capabilities to understand reports and findings being presented back from other team members.  It is also the responsibility of the Incident Manager to determine what additional skills need to be brought in to the team to ensure the response programme runs effectively and efficiently.  The Incident Manager will be the key point of contact with the client organisation and possibly third parties such as regulators, government or media organisations – as such they will need the ability to stay calm and focussed while distilling the key facts of the engagement to explain both to board level and technical customer within the client organisation.

An Incident Manager will be responsible for leading and presenting all elements of the Incident Response project lifecycle including identification, containment and eradication.  They will need to be aware of any relevant legal and regulatory matters.

An Incident Manager’s role is expected to be fulfilled by highly experienced personnel who have spent considerable time working on incident response engagements.  It is likely that many will have previously (or may still be) practitioners in one of the technical disciplines associated within incident response, however this is not a mandatory prerequisite.  It is, however, essential that those in this role have sufficiently strong and broad technical skills to be able to play a key part in understanding the details of the incident in order to make accurate, informed decisions at both the strategic and technical team lead levels.

The CREST Certified Incident Manager (CCIM) Examination
The (CCIM) examination tests a candidates’ knowledge across a range of areas wider than traditional intrusion analysis including conventional incident response technical tasks and also a wide range of general technology areas to ensure they are competent to assess and handle a range of potential incident scenarios.  The detail in these areas is high level but broad with “an awareness of” being a good description of the level of detail required.  The Syllabus for the CCIM examination is available from the link below and specifically, Appendix G focusses in detail on the core response manager skills that will be assessed.  The level of detail required here is greater as this is assumed to be the core domain of knowledge for an incident manager.  Particular emphasis is placed on the following skill sets:

  • Client management
  • Containment techniques
  • Project management and time management
  • Evidence handling
  • Communications
  • Recovery and remediation
  • On-going technical prevention
  • Judgement making and critical reasoning
  • Written skills
  • Third Parties
  • Reporting Agencies
  • Threat intelligence, Contextualisation Attribution and Motivation
  • Industry Best Practice
  • Risk Analysis
  • Attack & compromise lifecycle
  • Legal and Jurisdictional Issues
  • Ethics
  • Technical vulnerability root cause identification
  • Physical threats
  • Insider attacks

Examination Format
The CCIM examination has two components:

  • multiple choice
  • written, comprising a selection of long form and scenario based questions that require detailed answers

To pass the exam, the candidate must pass both sections.  If a candidate fails an element, the entire examination must be retaken.

The examination is delivered in two parts (see Notes for Candidates) with Part 1 taken first and Part 2 must be taken within three months of Part 1.

You can download the following documents from the links below:

Syllabus for CCIM Examination
Notes for Candidates to aid examination preparation


For costs and availability please refer to individual country booking.  The examination is delivered at Pearson Vue centres.

Recommended Preparation Material
The CREST Assessors panel regularly identifies common themes and consolidates common questions and answers from candidates and from the industry in relation to the CREST certification examinations. Candidates are advised to familiarise themselves with these, although they are free to disregard them if they wish. The latest information can be accessed at Examination FAQs (

The following material and media has been cited as helpful preparation for this examination by previous candidates:


Case Studies:

Useful Information for Candidates
How to book
Details of the Logistics and Timings of CREST examinations can be found in the Examination Preparation pages for your country of choice
CREST’s Policy for Candidates requiring special arrangements including additional time to accommodate a medical condition (including examinations delivered via Pearson Vue)
Terms and Conditions for CREST Examinations (includes hard disk drive wiping policy)