The 9ine Blog

9ine helps thousands of school leaders and IT teams protect their stakeholders and constituents by publishing critical changes, updates and best practice blogs. 

Subscribe to 9ine's monthly newsletter, 9News to receive monthly blogs delivered right in to your inbox.


stones 2

Cyber Security: The 9ine Steps For Incident Management

In this fifth blog in the series, we look at Incident management, following the guidance from the UK National Cyber Security Centre (NCSC). We explore how schools can ensure that with well structured, clearly written incident plans and procedures, they can reduce the impact of a cyber attack and ensure that key systems and services are up and running as soon as possible, minimising the impact on the users and supporting business continuity. With each blog in this series, we are building upon every stage of the NCSC’s 10 Steps to Cyber Security, and in turn, providing our independent recommendations, examples and guidance.


In our previous blog, User Awareness - How To Help Your Users Protect Themselves & The School Network! we discussed how structured and regular training, alongside clear policies and procedures, can go a long way to stopping some attacks in their tracks before they hit the network. This blog goes hand-in-hand with the above and provides schools with a greater understanding of how effective plans and procedures reduce risk and provide a safer working environment.


By following these recommended steps, you will be able to evidence that your school has the appropriate mechanisms in place to reduce the impact of a cyber attack and support business continuity. By providing your end users and IT teams with plans and procedures aligned to your business continuity plans, you will demonstrate that the school is ensuring both the availability of data, and is providing resilience through an organisational process.


Before we go any further, do you know?

  • What an incident is, or how your school classifies or categorises them?
  • If your school has an incident response policy, plan and procedure?
  • Where your school’s incident plan is located and is the documentation up to date?
  • Who you should contact first? and how?
  • Are there immediate steps you should take before reporting?
  • If there is a need to preserve evidence and document the steps taken?
  • If and when you need to report an incident to any authorities or regulators?


If you are unsure, you need to follow the next 5 steps


1.  Establish if you have the existing skills and capacity to adequately respond to a cyber attack. Whether those skills are provided through the internal IT team, a managed service provider, or another third party.

2.  Create an incident response policy, plan and process tailored to your school’s current capacity, skills and support provider(s).

3.  Identify any shortage of skills through a gap analysis and define a training plan to upskill members of your support teams. As an interim measure, put in place mitigating actions or provide additional outsourced support whilst your IT teams receive specialist training.

4.  Train all users on the school’s incident response policy, plan and process, ensuring they know what to do and who to contact in the event of a cyber attack.

5.  Test your new incident response plan by thoroughly addressing a variety of common attacks, such as phishing attacks, and malware (focusing on ransomware). 


Following the above will ensure that you have the capacity and capability to deal with an incident effectively. Once you have this in place, have tested the plan and are confident that your users understand the process, follow the next set of steps.


Responding to an incident

In the previous steps above, you have captured the reaction to the incident, now let's look at the response. Some incidents will require that data, systems and/or services need to be restored or repaired, and others will require local authorities or regulators to be informed. You now need to:


6.  Ensure that you have a robust method for categorising incidents and understand when an incident needs to be reported, and with whom (data protection, local authorities etc.)

7.  Review business continuity plans and disaster recovery plans to ensure they are aligned. Any areas where your disaster recovery plan does not align with the business continuity plan, need to be addressed.

8.  Test the disaster recovery plans to ensure that you can restore data and repair systems or services in a timely manner (remembering availability of personal information, or lack of, in some circumstances is a reportable breach).

9.  Put a policy and procedure in place to ensure that all incidents and their responses are reviewed in order to identify areas of the process that need further review or rectifying. Lessons learned will provide efficiency and will ensure that any ambiguity, or areas where users were unsure of what to do, are addressed.


How can 9ine help?

9ine's Incident Response desk can help support your school users in the event of a cyber attack. We can provide your IT team with additional capacity, skills or even just a sounding board when needing to respond quickly to an incident and limit the damage. Think of us as your vehicle roadside recovery service; you can register with us free of charge and only pay when you need us!  



In addition to the Incident Response Desk, our Cyber Defence Essentials subscription service will provide your school with a comprehensive infrastructure and systems audit. The output of which will inform and shape your remediation, resource and investment plans. Alongside the outputs of the audit, the annual Cyber Posture Evaluation and Penetration Tests will provide your school users, Governors/Board with the confidence that you have the technical and operational measures in place to minimise the possibility or impact of a cyber attack.

Our evaluations are based on the NCSC 10 Steps to Cyber Security, the NCSC Cyber Essentials accreditation and the EU's NIS Directive, which also uses a cyber framework developed by the UK's NCSC.


Where To Go?

For more information about our Incident Response Team or Cyber Defence Essentials subscription, please contact


Is Your School CIS-Accredited?

In addition, those schools who are accredited by the Council of International Schools (CIS) have access to 9ine’s training and resources for supporting with cyber security, enhanced data protection, and child protection standards within the protocol (implemented later this year). If that’s you, get in touch.


Cyber Risk Workshop Card Game Video Tutorial CTA