+44 (0)2039 098573


Charlie looks at the difference between cyber incident management and cyber incident response and the different set of issues they have to deal with in the different teams.

This week, I thought I would write a short technical bulletin. Many people use the terms cyber incident management and cyber incident response interchangeably, but they each have a very different meaning and deal with a different set of issues.

Cyber Incident Management

Cyber incident management looks holistically at the response to a cyber incident and covers the following:

  1. The reputational response to the incident
  2. Crisis Management
  3. Overall communications strategy
  4. Communicating with stakeholders
  5. Communicating with regulators and statutory notifications, including the Information Commissioner’s Office
  6. Recovery prioritisations
  7. Reassurance of interested parties
  8. Continuity of operations and delivery of service
  9. Making key decisions

These are usually carried out by the organisation’s Crisis Management / Strategic Team.

Cyber Incident Response

Cyber incident response looks at the technical recovery after a cyber incident and may be implemented using NIST or CREST frameworks:

  1. Identification of the incident and analysing what has happened
  2. Conducting triage of systems
  3. Incident containment
  4. Investigation and determining the threat
  5. Working with their party specialists
  6. Gathering and preserving evidence
  7. Forensics
  8. Eradicating the cause of the incident
  9. Recover Systems, Data and Connectivity

 These are usually carried out by the Computer Incident Response Team (CIRT).

Scroll to Top
Scroll to Top