Cyber incident response exercise (CIRE)

Our cyber incident response exercises have been created to complement and build upon the National Cyber Security Centre (NCSC) exercise-in-a-box service.

About the exercises

The incident response scenarios aim to develop and test understanding of how incident response should be carried out in a health and social care setting and context.

The incident response exercise framework is structured to allow the continual development and release of new scenarios and to provide support materials that will keep you up-to-date with changes and updates to central health and social care cyber security best practice.

Cyber incident response and management is a complex subject. Each scenario is designed to focus on particular elements of incident response and will therefore be suited to different training audiences.

New scenarios will be added to continually expand and enrich the exercise packages. Future scenarios will be guided by your feedback, and the evolving cyber landscape in the health and social care setting.

If you have particular topic areas you would like to be covered, please submit a request or include as part of the end of exercise feedback slide.

Benefits

Tailored to the NHS, including scenarios likely to be experienced by your organisations, based on current threat intelligence.

Improving the organisational resilience of your cyber incident response process.

Helping to maintain compliance with the Data Security and Protection Toolkit (DSPT).

About the materials

About the CIRE toolkit

This Cyber Incident Response Exercise (CIRE) toolkit is designed for regional and local organisations to plan and deliver cyber incident response exercises with ease.

The CIRE toolkit provides tips on how to select, plan and run the ready-made CIRE scenarios.

What's included in the toolkit

A step-by-step guide on how to choose a scenario, prepare for the exercise day, and conduct the exercise.

Document templates and injects to reduce preparation times.

Built-in customisations that allow for flexibility and interactivity.

Who it is for

Local and regional stakeholders such as primary care organisations, acute (hospital) trusts, mental health trusts, community trusts, ambulance trusts, social care, and Integrated Care Boards (ICBs).

The scenarios have been tagged to make it easy for you to know which scenario to choose.

Scenario library

	Name	Organisation type	Learning objectives	Target audience	Suggested duration
1	Hacked	NHS trust	Evaluate internal escalation processes and communication strategies	Technical managers and EPRR staff Additional stakeholders: SIRO, IT, and cyber security	1.5 to 2 hours
2	Truth for All	NHS trust	Assess the efficiency of phishing attack identification and response Understand core principles of cyber preparedness Identify areas for improving preparedness and response efforts	Technical managers and EPRR staff Additional stakeholders: SIRO and IT/security staff	1.5 to 2 hours
3	Data for Sale	NHS trust	Test incident management, escalation, and reporting processes Validate communication strategies in a cyber incident	Technical managers, EPRR, communications Additional stakeholders: SIRO and IT/security staff	1.5 to 2 hours
4	The Insider	GP practice	Examine internal incident management processes with a focus on immediate actions Strengthen engagement with external organisations during a cyber incident	Technical and non-technical staff, including IT, and cyber security	1.5 to 2 hours
5	Coordination Crisis	Integrated Care Board (ICB), acute trust, ambulance service	Assess an ICB’s ability to coordinate a major crisis while managing its own cyber-attack Evaluate the resilience of business continuity plans and the effectiveness of crisis communications	All members of the ICB, particularly those that would need to make decisions around the actions of the organisation.	2 to 3 hours
6	Pathologica	Integrated Care System (ICS)	Analyse the overall response to a critical pathology service supplier impacted by a cyber incident. Strengthen collaboration within the ICS to ensure continued patient service delivery while managing a coordinated response.	SIROs, clinical safety leads, EPRR, cyber, IT, IG SMEs, and communications teams.	2 to 3 hours
7	Ambulance	Ambulance service	Test incident response and recovery strategies within an ambulance service. Examine response effectiveness when critical suppliers experience a significant cyber incident.	Ambulance service employees, including, SIROs, clinical safety leads, EPRR, cyber, IT and IG SMEs, communications teams	3 to 3.5 hours
8	Health Tech	Integrated Care System (ICS), NHS trust	Evaluate the local system's function during a cyber incident affecting the entire ICS and assess coordination between organisations Assess governance, escalation, control, and coordination to ensure patient safety and service continuity across the ICS	SIROs, clinical safety, EPRR, cyber, IT and IG SMEs, communications teams and others	3 to 4 hours
9	Print Crisis	NHS acute trust	Examine internal communication and escalation pathways between IT, Cyber, EPPR, and Clinical teams Test the implementation of alternative workflows during a cyber disruption Analyse leadership decision-making in risk mitigation and resource allocation	EPRR, cyber security, IT, administrative staff, operations, clinical, communications, social care	1 to 2 hours
10	Broken Link	NHS trust	Recognise early signs of cyber threats and determine appropriate escalation actions Identify opportunities to enhance collaboration with national remediation efforts Validate the effectiveness of reporting and mitigation steps for data loss risks	EPRR, cyber security, IT, procurement, clinical teams, data protection, operational leadership, communications, social care	1 to 2 hours
11	Locked Out	NHS trust	Assess coordination with NHSE and CSOC to identify areas for improving collaboration with national remediation efforts Evaluate GDPR and regulatory compliance by testing the effectiveness of data loss reporting and mitigation steps	EPRR, cyber security, IT, procurement, clinical teams, data protection, operational leadership, communications, social care	2 to 3 hours

Complete the form

Complete this form to be sent the scenario of your choice.

How this service aligns with the Cyber Assessment Framework

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).

Objective A: Managing security risk

A1.b Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks

A2.a Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.

A2.b You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.

A4.a The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.

Objective B: Defending systems against cyber attack

B1.a You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.

B1.b You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.

B3.a You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also applies to third parties storing or accessing data important to the operation of essential functions.

B3.d You have protected data important to the operation of the essential function on mobile devices.

B4.a You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.

B5.a You are prepared to restore the operation of your essential function following adverse impact.

B6.a Cyber Security culture.

B6.b The people who support the operation of your essential function are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed.

Objective C: Detecting cyber security events

C1.d You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.

C1.e Monitoring staff skills, tools and roles, including any that are outsourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect.

Objective D: Minimising the impact of cyber security incidents

D1.a You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function and covers a range of incident scenarios.

D1.b You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function. During an incident, you have access to timely information on which to base your response decisions.

D1.c Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.

D2.b Your organisation uses lessons learned from incidents to improve your security measures.

Last edited: 8 April 2026 2:59 pm