Hero Banner
World-Class Cybersecurity Training Services

NCSC Assured Building and Optimising Incident Response Playbooks

Learn to Create NIST Compatible Incident Response Playbooks  



The NCSC Assured Training in Building & Optimising Incident Response Playbooks

This NCSC Assured Training - Building and Optimising Incident Response Playbooks,  teaches you how to create NIST SP 800-61 R2 and NIST CSF compatible incident response playbooks to respond to a variety of simple and complex cyber-attacks and data breaches.

Unlike a traditional crisis like an earthquake or flood, a cyber-crisis is often invisible and near impossible to detect in the early stages. In a majority of cyber-attacks, by the time a business detects the attack, it is often too late. The data has been stolen , the media knows about your data-breach and your customers are worried their personal data may be in the hands of criminals.

New call-to-action


Target audience for the Playbooks Training Course

IT Technicians Service Managers
Level 1, Level 2, IT Support BCP Managers
Network Engineers CISOs / Heads of IT security
Windows, Unix and Max Engineers Risk Managers
SOC Analysts (All Levels) Heads of IT
IT Managers, Network Managers Change Managers


Benefits of this NCSC Assured Training

Why do you need the Incident Response Playbooks Training?

In today's digital ecosystem, where cyber threats loom at every corner, the question isn't if, but when an incident will occur. To preserve your business continuity, reputation and bottom-line when that happens, it is critical to have a strategic framework that outlines the procedures you should follow in the wake of a cybersecurity incident. Our NCSC Assured Training helps you understand what you need to keep and what needs to be left out of your Cyber Incident Response Playbook. Created by the world's leading cybersecurity practitioner, this training distills years' of experience of handling cyber-attacks on the frontline to show you how best to respond and recover from an incident. 


Learn to create Incident Response Playbooks that are compatible with NIST guidance and will actually be effective in a real attack situation.

Get access to immediately-usable Playbooks template and other usable collateral to enhance your readiness against cyber-attacks.

Optimise your existing Incident Response playbooks and improve your speed to respond to and recover from cyber-attacks.

Achieve better legal and regulatory compliance & prepare for geographical data breach notification requirements

Highlights of the Incident Response Playbooks Training Course

12 Modules of Rich Content Dedicated to Incident Response Playbooks

Highly Interactive Course with Multiple Exercises Ensuring Maximum Learning

Unmatched Bonus Content including Templates, Workflows & more

Personal & Organisational Benefits of the NCSC Assured Incident Response Playbooks Training

The Playbooks Training course offers several benefits to individuals who wish to upskill themselves and stay abreast with the most relevant skills usable in the current threat landscape. When run internally, the NCSC Assured Training in Building & Optimising Incident Response Playbooks (Playbooks) workshop brings significant benefits to an organisation. The playbooks training is also available as an eLearning (also called Self-paced Learning) option and as a virtual classroom training. For the virtual training we use Zoom. 

Individual Benefits

Organisational Benefits

Learn to create basic and advanced cyber incident response playbooks.  Significantly improve your organisation's speed of response to cyber-attacks.
Analyse, improve and optimise existing incident response procedures. Achieve better legal and regulatory compliance and meet respective geographical breach notification requirements.
Create effective attack scenarios with supporting response playbooks. When held internally, we conduct a consultative review of your existing response processes, procedures and playbooks.
Run effective cyber incident response workshops to support continuous improvement in cyber resilience processes and procedures. Ensure continuity and consistency in both your technical and managerial responses during a regular incident or a cyber crisis.
Understand the role of SOAR (Security Orchestration and Response) and the tools that you can use to implement SOAR. Learn to identify, addressing, and recover from cybersecurity threats, minimising operational disruption and potential losses. 


Continuing Professional Development

  •  (ISC)2 members can claim 8 CPE points after they complete the whole course and obtain the attendance certification.
  • ISACA members can claim 8 CPE points after they complete the whole course and obtain the attendance certification.

New call-to-action

Testing Playbooks with Cyber Tabletop Exercises

You can combine the Internal Playbooks training with our Cyber Crisis Tabletop Exercise workshop to formally test your playbooks in a simulated cyber-attack environment. You can find more information on the different types of Cyber Crisis Tabletop Exercises we conduct here: 

1. Executive Tabletop Exercises
2. Operational Tabletop Exercises
3. Technical Tabletop Exercises 

Incident Response Playbooks Course Modules

Module 1 - Case Study


This module dives straight in with a case study on the importance of incident response playbooks. Those who are non-technical will find that attending our NCSC Assured Training in CIPR  establishes the core concepts on which this playbooks course is built.

Module 2 - The Basics


This sections introduces the core concepts of playbooks, the types of playbooks you need and takes you through the different purposes of playbooks. 

Services include:

  • Review of Cyber Policies & Processes (Documentation set)
  • Review of Cyber Procedures
  • Gap Assessment (Request & review of evidences to ensure compliance to policies & processes)
  • ISO 27001 maintenance/framework review (Training, Risk monitoring & treatment plans, Management review meeting records, Internal audits, etc.)


Module 3 - Key Design Components


This module further builds on Module 2 and introduces the student to key concepts of not just playbooks but the primary constituents of a good incident analyst. There is a substantial link between an analyst and playbooks and to create and use playbooks effectively you need to understand the basics.

Module 4 - Designing Playbooks


Building on the NIST SP 800-61.r2 Computer Security Incident Handling Guide, we take the student through an in-depth understanding of the four phases of the Incident Response Lifecycle, their relationships to each other and the relationship of this concept to creating effective and fit-for-purpose incident response playbooks. 

Module 5 - Analyse for Context


This module introduces the importance of context in incident response and the importance of good analysis skills that help build context. This section goes through several exercises to help you understand what is context and how to use it in playbooks.

Module 6 - Triggers


Staying with the importance of context and building on this important topic, we cover the relevance of triggers in playbooks. Put simply, a bad trigger almost always equals a terrible playbook. 

Module 7 - Participants & Stakeholders


'Whom are you going to call' during an attack. Even for the most prepared there are moments when you wonder, who is it we need to call? OR who can authorise this action?  Seems simple, but there is a method and approach to getting this right and yes, you have to plan ahead.

Module 8 - Automation


This module breaks down the topic of automation in incident response and playbooks and dives deeper into the concepts and reasons and implementation examples of automation. This section also gives examples of how automation can be used as a force for staff retention and motivation. In addition, the student is shown a structured approach to automating actions before, during and after a cyber attack.

Module 9 - Creating Scenarios


This module goes into significant details of how to plan and create cyber attack scenarios. 

Module 10 - Testing your Playbooks


This module covers how incident response playbooks should be tested for efficacy. This module, too, relies upon the use of relevant cyber-attack scenarios.  

Module 11 - Technological Solutions


A short module of the importance and role of technology in incident response playbooks. We also show you how you can create effective IR checklists without the need for specific technologies. 

Module 12 - Creating Playbooks


Bringing all the knowledge from previous modules together, we go into detail on how to actually design and create playbooks. We use threat intelligence to create our first comprehensive playbook and examine various components of the playbook.  

Feedback & Testimonials

Listen to what our past attendees have to say about the Playbooks Workshop

"This was a very helpful day and opportunity to speak with a number of operational incident responders to discuss what really works in practice and not just in theory. I gained a great deal from the day, particularly around the construction of bespoke playbooks and also a variety of useful resources to inform my learning. A really good day."

Andrew Lock, Information Security Consultant  



Kevin Hayes
The playbooks training course was a good 'part-2' to the CIPR and went into greater depth in a number of areas. The day was fun and Amar kept us moving along at a good pace.
Kevin Hayes
CISO, Cyber Risk Associates
Russ Smith
Enjoyed the course. Good mix of attendees and plenty of lively conversation. Amar steered us through it all admirably.
Russ Smith
Kim Rose
Overall the course was very good. I would strongly recommend this training to anyone who is involved in Cyber Security or has control of information assets.
Kim Rose
Information Governance Officer, Wye Valley NHS Trust
Philipp Scheiwiler
It was a great workshop with a lot of interesting people and a great learning experience.
Philipp Scheiwiler
System Engineer

About the NCSC - National Cyber Security Centre

NCSC Certified Training ColourLaunched in October 2016, the NCSC or National Cyber Security Centre is headquartered in London and brings together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure.

The NCSC Assured training is designed to assure high-quality training courses delivered by experienced training providers. The courses are assessed at two levels, namely, awareness and application.


This course has been certified for the application level of incident response in the areas of Risk Assessment, Business Continuity Planning and Incident Management. The Application level is for anyone looking for in-depth courses for their professional development.


The Chartered Institute of Information Security (CIISec) is the only pure-play information security institution to have been granted Royal Charter status and is dedicated to raising the standard of professionalism in information security. CIISec represents professionalism, integrity and excellence within the information and cybersecurity sector.

The NCSC Assured Training and the Chartered Institute of Information Security's (CIISec) accreditation enables organisations to distinguish between reputable courses and ones that have not been validated using a Government-endorsed assessment process.

New call-to-action

Meet the Trainer 

Amar Singh has a long history and experience in data privacy and information security. Amar has served as CISO for various companies, including News International (now News UK), SABMiller, Gala Coral, Euromoney and Elsevier. Amongst various other activities, Amar is a Global Chief Information Security Officer and Trusted Advisor to a number of organisations including a FTSE100 firm, and is chair of the ISACA UK Security Advisory Group. He also founded the not-for-profit cybersecurity service for charities, Give01Day.

Amar_Singh_CISO (1).jpg

Amar has the highest integrity and is trusted by FTSE100 companies with some of the most sensitive commercial information. He has been involved with highly sensitive forensic investigations.

He has the ability to deal with both technically-astute, board-level executives and lead an organisation's information security direction. Apart from his experience and abilities, Amar holds a number of industry-recognised certifications, such as ISO 27001 Certified ISMS Lead Implementer, MoR, CRISC and CISSP certification.

Amar is an industry-acknowledged expert and public speaker and is regularly invited to speak and share his insights by some of the largest and most respected organisations in the world including The BBC, The Economist’s Intelligence Unit, The Financial Times, SC Magazine, InfoSec Magazine, Computer Weekly, The Register and the AlJazeera English Channel.


Why not book a discovery call to discuss your requirements?

Want more information on the NCSC Assured Building & Optimising Incident Response Playbooks Training? Book a no-obligation discovery call with one of our consultants. 

Let us show you why our clients trust us and love working with us.
All trademarks, service marks, trade names, product names, service names and logos appearing on the site, or on printed or digital material are the property of their respective owners, including in Cyber Management Alliance Ltd. Any rights not expressly granted herein are reserved.

The information on this page and related pages and documents is Copyright of Cyber Management Alliance Ltd. The VCA or Virtual Cyber Assistant term, other terms, information, concepts, ideas, workflows, processes, procedures and other content that directly or indirectly supports the VCA Service are Copyright of Cyber
Management Alliance Ltd. Copyright 2022.