Incident management

The expertise of GovCertUK and CERT-UK in a single team, helping to reduce the harmful impact of cyber security incidents in the UK.

Incident management team

We identify and respond to cyber security incidents, assist with their mitigation, and build our understanding of cyber security threats. In the event of significant cyber security incidents, we provide direct technical support and cross-government co-ordination of response activities.


What is a cyber security incident?

The NCSC defines a cyber security incident as:

  • A breach of a system’s security policy in order to affect its integrity or availability
  • The unauthorised access or attempted access to a system

    Activities commonly recognised as security policy breaches

    • attempts to gain unauthorised access to a system and/or to data

    • the unauthorised use of systems and/or data

    • modification of a system's firmware, software or hardware without the system-owner's consent

    • malicious disruption and/or denial of service

    The NCSC defines a significant cyber security incident as one which may have:

    • impact on UK’s national security or economic wellbeing
    • the potential to cause major impact to the continued operation of an organisation

    Incident advice and guidance

    Cyber security incidents can take many forms: denial of service, malware, ransomware and phishing attacks. Our guidance will help you to plan for and deal with these, and many other types of incident.

    Is it an incident?

    If you are experiencing unexpected or unusual computer network issues, we recommend that you contact your system administrator or service provider to identify the root cause of the issue.

    If a cyber security incident is confirmed, please consult our guidance for detailed advice. 

    Personal attack

    There are a number of crimes which we do not define as cyber security incidents. Cyber bullying, threats via email, text or instant message are all examples. 

    If you are in the UK, you should report these to the police. You can contact them by telephone on 101, or see the website for further information.


    Action Fraud is the UK's national fraud and cyber crime reporting centre.

    If you believe you have been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website.

    If you are in Scotland contact Police Scotland on 101.

    Further assistance

    CiSP (Cyber-security Information Sharing Partnership)

    Managed by the NCSC, CiSP provides a forum for cyber security discussion from beginner through to expert level. It's also a platform where organisations can share intelligence gathered from their own computer networks.


    Contacting the NCSC Incident Management team

    If you feel you are the victim of a significant cyber security incident you can report this to the NCSC .

    CiSP members may wish to consider submitting an incident report on the CiSP platform as a means of sharing timely threat information with other members.

    If you experience an incident which affects personal information, you should consider whether you have an obligation under the GDPR to report the incident to the Information Commissioner’s Office (ICO). The ICO website provides further guidance on what constitutes a notifiable breach, and on preparing and responding to breaches.

    If the incident affects UK essential services, as defined under the NIS directive, the Operator of Essential Services (OES) responsible should consider whether they also need to inform their Competent Authority of the incident. The NCSC provides dedicated guidance for OES organisations.

    If you believe the incident constitutes a cyber crime, you should report it to Action Fraud. If you are in Scotland, contact Police Scotland on 101.

    Threat intelligence sharing

    The NCSC utilises STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) in order to store and share structured threat intelligence in real time. At present our feed is only available to members of the CiSP by invitation.


    NCSC Cyber Incident Response (CIR) scheme

    If you require third-party assistance in dealing with a cyber security incident, we recommend one of the NCSC-certified CIR companies. 

    Further reading

    Guidance on how organisations can protect themselves in cyberspace, including the 10 steps to cyber security.

    CiSP is a joint industry/government information sharing initiative aimed at increasing awareness of cyber threats and reducing their impact on UK business.

    We issue alerts and advisories addressing cyber security issues detected in the UK. We also produce in-depth analysis of cyber threats and vulnerabilities.