Cyber Incident Response Internal Workshop

Business Processes, Operational Strategies & Best Practices for Responding to a Data Breach

We have trained over 750 organizations including:

"Only 10% of organisations have an Incident Response Plan." - GCHQ

Non-technical workshop on how to respond to a data breach or cyber-attack

Workshop delivered by a FTSE 100 CISO with over 15 years of experience

Delivered globally to over 100 organisations including UK Police Forces

Cyber Management Alliance is a UK-registered cybersecurity training provider and trusted advisor to private and public sector organisations.

Cyber Management Alliance (CM-Alliance) provides its clients with a broad portfolio of strategic and operational cybersecurity services including the NCSC-Certified Cyber Incident Planning & Response (CIPR) Breach Readiness Programme.

The key focus of the CIPR Programme is to enable clients:

  • To be compliant with new breach regulations like the GDPR by enhancing their cyber resilience posture and reducing their risk exposure. 
  • By supporting, developing and assisting management in ensuring that the business can swiftly respond to and resume its operations during and after a cyber-attack.
  • To embrace a best-practice, standards-based approach to managing (monitoring, detecting, responding to, containing) a cyber-attack.

Throughout this programme, we work with all stakeholders in the business to create and adopt a set of strategies, policies and technologies to ensure that the organisation is aligned and compliant with the GDPR’s breach notification requirements.

NCSC-Certified Cyber Incident Planning & Response Workshop

Is your organisation prepared to respond to a data breach?

By including a Cyber Incident Response Plan in your GDPR preparation road-map, you will demonstrate to the regulators that you have the policies, procedures and planning in place to swiftly respond to a data breach or cyber-attack.

This two-day workshop will enable you to prepare a defined and managed approach when responding to a data breach or cyber-attack of an information asset. The content is intended for senior management and business executives who wish to gain a better understanding of incident response or who are responsible for helping organisations plan and prepare for potential cyber threats, and effectively deal with actual cyber-attacks. This is not a technical course, therefore, there are no prerequisites.

This cybersecurity training course provides senior management and incident response teams with the vital processes, knowledge and skills to lead and manage a cyber crisis. The course is designed for senior management involved in responding to a cyber or data breach  across an organisation, including staff involved in:

  • Strategic and operational decision-making.
  • Information security.
  • Enterprise risk management.
  • Audit & Compliance.
  • Business continuity.
  • Service management.
  • Human Resource management. 

 This training is available as a one-day public course or a two-day internal workshop. 




New Call-to-action 

NCSC Certified Training B&W 300px


About the NCSC - National Cyber Security Centre

Launched in October 2016, the NCSC or National Cyber Security Centre is headquartered in London and brings together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure.

The NCSC-Certified training is designed to assure high-quality training courses delivered by experienced training providers. The courses are assessed at two levels, namely, awareness and application.

This course has been certified for the application level of incident response in the areas of Risk Assessment, Business Continuity Planning and Incident Management. The Application level is for anyone looking for in-depth courses for their professional development.


The Chartered Institute of Information Security (CIISec) is the only pure-play information security institution to have been granted Royal Charter status and is dedicated to raising the standard of professionalism in information security. CIISec represents professionalism, integrity and excellence within the information and cybersecurity sector.

The NCSC-Certified Training and the Chartered Institute of Information Security's (CIISec) accreditation enables organisations to distinguish between reputable courses and ones that have not been validated using a Government-endorsed assessment process.

"Excellent workshop with a lot of good hints, not only for security staff, but also for management in order to understand the nature of attacks and the mitigation of vulnerabilities in order to reduce the impact during an incident.
Thank you for this excellent workshop. The expectation was exceeded, especially the examples from incidents and hits."
- UBS Card Centre, Switzerland

Continuing Professional Development

  • CPD points can be claimed for this course at the rate of 1 point per hour of training for this NCSC-certified and CIISec-approved course (8 points for one-day public course and 15 points for the two-day internal workshop).
  •  (ISC)2 members can claim 8 CPE points after they complete the whole course and obtain the attendance certification.
  • ISACA members can claim 8 CPE points after they complete the whole course and obtain the attendance certification.



A summary of what delegates will learn in the CIPR course: 
(Scroll down for details on individual modules)

  • The latest techniques and insights on incident response.
  • Threat Intelligence-led testing and response framework adopted by leading governments and institutions.
  • How to use threat intelligence to lower organisation risk and speed up response times.
  • The Cyber Kill Chain (the cyber-attack process) and how to design an early warning system to lower discovery time from months to days.
  • How to create actionable, fit-for-purpose plans, checklists and processes.
  • How to define and baseline “Normal” within your organisation.
  • Understand "Normal" and how it can help reduce your time to respond to and reduce human error.
  • The best methods to stop up to 90% of all cyber-attackers in their tracks, before they breach your critical data.
  • How to design and implement a response framework and build an effective cyber response team.
  • The “Golden Hour” and why it’s critical to managing an incident.
  • The core concepts of incident triage, OODA and their relevance and importance in a cyber resilient organisation.

Directly download the complete Learning Objectives PDF of the NCSC-Certified Course here.

Benefits of arranging an internal exclusive private workshop include, but not limited to:

  1. Organisation context & organisation specific exercises.
  2. Define the threat actors and create a threat actor library specific to your organisation.
  3. Defining Normal - understanding your organisation's baseline.
  4. Define / improve alerts for your analysts.
  5. Assess and improve your organisations triage capabilities.
  6. Organisation specific Attack Scenarios.
  7. Detection & Response Strategies.
  8. Technology stack review & assessment of integration into SoC & monitoring technologies.
  9. High level review of your monitoring and log management.
  10. Review your PR & communication templates & internal communications approach.
  11. Review and improve the team and organisational structure of IR teams and CSIM (cybersecurity incident management) teams.
  12. High level review of incident response breach preparedness.
  13. Understand areas of improvement of your organisation’s incident response plans.
  14. Baselines cyber resilience awareness across the business.
  15. Become more compliant with data breach response regulations by creating fit-for-purpose data breach response plans.
  16. Achieve tangible reductions in detection and response times to cyber-attacks that could lead to better managed and lower data breach compensations.
  17. Improve inter-department communication and interaction before and during an incident (This is especially true when organisations host the CIPR workshop internally, over 2 days).
  18. Streamline and optimising technology investments with the possibility of tangible savings across multiple technology sets.
  19. Achieve more productive and efficient staff with increased motivation and better learning and career development.
  20. Throughout the duration of the workshop all attendees have a aim to create an improvement action plan to further develop the operational strategies, processes and plans post the workshop. 

Delegates will learn and understand:

  • The latest techniques and insights on incident response.
  • Threat Intelligence-led testing and response framework adopted by leading governments and institutions.
  • Deep-dive into the Cyber Kill Chain and design an early warning system to lower discovery time from months to days.
  • How to create actionable plans, checklists, playbooks and processes.
  • How to define and baseline “normal” within the organisation.
  • How to stop up to 90% of all cyber attackers in their tracks and before they breach the organisation's critical data.
  • How to design and implement a response framework and build an effective cyber response team.
  • The secrets of managing TV reporters and media journalists.
  • The “Golden Hour” and why it’s critical to managing an incident.
  • Basic application of incident Triage, OODA and the Diamond Methodology.
  • How to analyse recent attacks and how these attacks avoided detection.
  • Security Incident Orchestration and how it can help reduce your time to respond and reduce human error.
  • How to automate critical incident response tasks to increase employee efficiency.
  • How to run effective table-top exercises with management and technical teams.
  • How to assess their organisation's breach readiness.

Cyber Incident Planning & Response Brochure Download


Templates, Worksheets, Checklists and other takeaways

All online and public students receive numerous takeaways including immediately usable cyber response checklists, templates like cyber response plans and workflows that you can put to use in your organisation immediately. 

CIPR Documents Image

  New Call-to-action

Workshop Course Modules & Exercises

Interactive Exercises and Collateral
  • Mind map: Comprehensive exercise on planning for a Cyber-attack 
  • Process Workflows: Creating an Incident Response Strategy
  • Process Workflows: Selecting Threat Actors
  • Process Workflows: Creating a Breach Readiness Framework
  • Process Workflows: Responding to an Incident
  • Defending against the Cyber Kill Chain
  • Visibility: Identifying your Crown Jewels
  • Visibility: Identifying Critical Log Data
  • Client and PR Communication Templates
  • Worksheet: Identifying Privileged Threat Actors
  • Worksheet: Defining & Base-lining 'Normal'
Module 1 - Cyber Resiliency

This module starts by emphasising the importance of asking the question - WHY? Why would an attacker attack your organisation?  It delves briefly into the psychology of attacks and builds the foundation for Module 2. In addition, this module introduces the core concept of resiliency in the context of cyber.  The module offers:

  • A mind-map that will help you answer this question and also understand what the attacker intends to do with your crown jewels.
  • Explanation of the “whys” with relevant real-world examples.
  • A definition of the ‘Security Fallacy’ and how to work around it. 
  • An understanding into why merely denying entry to criminals isn’t enough.

For full details on this and other modules click here.

Module 2 & 2a - Understanding Threat Actors

Threat actors may sound daunting but fear not. After asking the question, “Why” in the first module, this cyber threat actor section discusses the importance of asking - WHO could damage your critical assets and consequently destroy your business. This section explains the importance of knowing details about your attacker(s) who could target your business. This module offers:

  • An introduction to threat actors, intent and attributes.
  • Threat actors in detail.
  • The TAL or threat actor library and its purpose.
  • Building the Threat Actor Profile.

For full details on this and other modules click here.

Module 3 - Define Normal

Another key concept in the Cyber Incident Planning & Response course, Define Normal introduces the important idea of baselining or defining an organisational normal and explains its importance in building a cyber resilient business. It goes without saying, unless you can define and understand what’s normal for your digital network, it will be almost impossible to rapidly detect the abnormal.  In this module, you will learn:

  • The importance and relevance of this concept, with examples.
  • How to define ‘normal’ for your organisation based on the nature of your business, scale, operational model etc.
  • Applying 'Define Normal' in an organisational context.
  • Understanding and building the organisational baseline.

For full details on this and other modules click here.

Module 4a,b,c & d - The Cyber Kill Chain

Cyber criminals follow a process and have their own easy-to-follow attack methodology. In this module (also known as the cyber-attack process), we disclose the specific workflows that the majority of advanced and/or smart criminals utilise when they attack organisations and nation-states.

In these four modules, you will learn:
  • The different phases of attack methodologies.
  • Analysis of the Cyber Kill Chain (copyright Lock Heed Martin).
  • The importance of knowing the process flows that can help in the understanding of specific threat models and methodologies.
  • Strategies to counter the Cyber Kill Chain.

For full details on this and other modules click here.

Module 5 - Visibility

In this module, we introduce an important strategy - the concept that every business must focus on if it wants to increase its breach response and preparedness. The notion that if you stand in a dark room you are blind and oblivious to the surroundings may seem obvious, but this very fact is ignored and overlooked by organisations when planning and strategising on breach-readiness.  In this module, students learn:

  • What is visibility and why it's so important as a strategic item in a cyber resiliency strategy.
  • They key and core concepts and terminology to better understand its overall impact on resilience.
  • The importance of log data and its relationship and importance to cyber resilience.
  • The primary requirements for increasing visibility in an organisation.

For full details on this and other modules click here.

Module 6a, b, c & d - The Golden Hour & Incident Management

The pivotal moment, the ‘golden hour’ and many other important concepts and strategies are discussed in this section.

  • Module 6a deep dives into the ‘golden hour’, its relevance in incident response and its overall importance in the whole incident management lifecycle. This particular module goes deeper into the important aspects of the golden hour, discusses the importance of taxonomy and communications along with introducing and explaining the critical phase of triage and its role in incident response.

  • Module 6b & 6c discuss standards and workflows on incident management introducing several different terms and approaches on optimising existing processes and procedures while maintaining alignment with the various standards and touch on the key benefits of incident response playbooks.

  • Module 6d takes the student through an exhaustive thought process on creating an effective and fit-for-purpose incident response plan with a comprehensive exercise utilising a mind-map based approach.

For full details on this and other modules click here.

Module 7 - Building the Team

Building a great cybersecurity team also involves walking the tightrope between having a great internal team and liaising with external experts wherever necessary.  In this module on Building the Team, students will learn:

  • Identifying the stakeholders, the 'who' and 'what functions' should be included in the core cyber incident management team.
  • Key skills and traits that are essential in members of an effective cyber incident response team.
  • Why contextual experience is more important than technical knowledge when building an incident response team.
  • The importance of encouraging a culture of speaking up in the team, regardless of seniority or experience.

For full details on this and other modules click here.

Module 8 - Forensics & Investigation

Forensics and evidence are often overlooked in cyber incident management. Many IT professionals don't have enough experience in handling evidence the right way. Dealing with a cyber-attack requires the ability to ensure chain of custody and ensure the evidence is captured, protected and processed in a way that it can be presented in court without anyone being able to challenge the integrity of that evidence.  Delving further into this subject, in this module, we cover:

  • Introduction to forensics principles.
  • Why organisations must sensitise their employees about the regulatory requirement to protect evidence and ensure its forensic integrity.
  • What is a forensics policy, how it can be created and what should its key constituents be?

For the full details on this and other modules click here.

Module 9 - Regulations & Standards

The actions that an organisation takes before, during and after an incident can have legal and or financial repercussions. It is imperative, therefore, that the management, IT and Security teams understand the regulations and standards that apply to them and have a well-defined set of policies to cover these regulations. In this module, we cover:

  • The legal, financial or reputational impact that a business can suffer on account of incorrect actions.
  • A look at some common regulations and standards that businesses should be aware of.
  • What is a breach notification and how is it defined in the GDPR?
  • The fines that GDPR stipulates on businesses that are in breach of its regulations.

For full details on this and other modules click here.


Module 10 - The Technology Stack

It goes without saying that technology plays an extremely crucial role in all aspects of cyber incident response and management. The challenge is that most organisations have a messy and complex technology stack. A huge part of the objective of cyber incident planning and response is to evaluate your technology stack and ensure that it is optimised and ready for a cyber-attack. In this module, students will learn:

  • The common mistakes organisations make while buying technology and building a technology stack.
  • The problems a disorganised and incoherent technology stack can create for the business in case of an incident.
  • Understanding the technologies that underpin an effective breach-ready organisation.
  • Analysis of core technology requirements.

For full details on this and other modules click here.

Module 11 - Communications & PR

The media is always on the lookout for juicy news and controversies. In case of a cyber incident in your organisation, you could be making the next set of headlines. What will you do when you’re in the news and your business and its security infrastructure is being scrutinised by the media? Do you have a PR strategy for when a security disaster hits? In this module, students will learn:

  • The impact of negative publicity on your business.
  • How social media has increased the surface area for spreading news about hacks and breaches and also fake news.
  • The need to regularly monitor social media channels to gauge what is being said about your organisation and your competitors and adversaries.
  • Comms plans and strategies.

For full details on this and other modules click here.

Meet the Trainer 

Amar Singh has a long history and experience in data privacy and information security. Amar has served as CISO for various companies, including News International (now News UK), SABMiller, Gala Coral, Euromoney and Elsevier. Amongst various other activities, Amar is a Global Chief Information Security Officer and Trusted Advisor to a number of organisations including a FTSE100 firm, and is chair of the ISACA UK Security Advisory Group. He also founded the not-for-profit cybersecurity service for charities, Give01Day.

Amar_Singh_CISO (1).jpg

Amar has the highest integrity and is trusted by FTSE100 companies with some of the most sensitive commercial information. He has been involved with highly sensitive forensic investigations.

He has the ability to deal with both technically-astute, board-level executives and lead an organisation's information security direction. Apart from his experience and abilities, Amar holds a number of industry-recognised certifications, such as ISO 27001 Certified ISMS Lead Implementer, MoR, CRISC and CISSP certification.

Amar is an industry-acknowledged expert and public speaker and is regularly invited to speak and share his insights by some of the largest and most respected organisations in the world including The BBC, The Economist’s Intelligence Unit, The Financial Times, SC Magazine, InfoSec Magazine, Computer Weekly, The Register and the AlJazeera English Channel.


All trademarks, service marks, trade names, product names, service names and logos appearing on the site, or on printed or digital material are the property of their respective owners, including in Cyber Management Alliance Ltd. Any rights not expressly granted herein are reserved.

NCSC Cyber Incident Planning & Response

Find out more about our one day public courses or internal workshops, please complete the form below. 

  • callOr call us on:
  • +44 (0) 203 189 1422