
Introduction to the course and the key topics to be covered. and call to action.
What defines a cybersecurity incident and why is it important to recognise the difference between a regular incident and a major incident.
With any system there is terminology that is important to get right so everyone is clear on what is being implemented and what is and isn’t covered.
In this video we will review the purpose of IT Service Management (ITSM), what are the main pillars of ITSM, and what solutions are available.
In this video we will look at why it is important to have a mature ITIL focused ITSM solution for recording and managing incidents and problems.
Just having an IT Service Management (ITSM) solution does not mean that it is effective or able to accommodate an Incident Management process so what defines a mature ITSM solution?
While it might seem obvious why being prepared for a cybersecurity attack is important, it is also important to be able to communicate this to management and staff alike.
In this video we will look at the defined what an incident is, explain the difference between an Incident and a Major Incident, and where Problem Management interfaces with the process.
What are the true costs of a Cyber-attack and how can good incident management reduce that cost
What are the non-monetary impacts on businesses that do not have an incident management process in place?
What is the ROI on investments made in securing an organization’s digital infrastructure
This will cover the SANS Institute frameworks and NIST SP 800- 61r3, understand each phase of their process lifecycle, and learn about document management systems that help you create, track, and maintain your incident response plan.
The SANS institute (officially the Escal Institute of Advanced Technologies) is a private U.S. for-profit company founded in 1989 that specializes in:
Information security
cybersecurity training
selling certificates
In this video we will look at each of the 6 phases in the SANS Cybersecurity Incident Response framework.
This this video we will look at what steps we need to prepare for and the sorts of tools and processes we can use to identify cybersecurity attacks as they occur.
Once a Cybersecurity event has been identified, the threat needs to be contained and eradicated. In this video we will look at some of the steps we can include in our response plan to stop the attack and start to recover
After the successful containment of an attack, the next step is to restore systems to operating levels and get business up and running and making sure we record the things that did or did not go well during the response.
In this video we will discuss how this can be planned for and tracked as well as reviewed for ways to improve the process over time,
Supply Chain Attacks (also called 3rd Party Attacks) are becoming more common as companies outsource services. In this video we will look at how the SANS institute recommends to assess, investigate, plan, and document 3rd party incident management
The National Institute of Standards and Technology (NIST) has published a special publication (SP) number 61 that describes a 3 phase lifecycle for a computer security incident. In this video we will review this document and how it applied to cyber security incidents.
The first phase of the NIST 800-61 lifecycle focuses on preparation. In this video we will look at what is involved in the preparation phase, what are its core components, and are they relevant to you.
The second phase of the NIST 800-61 lifecycle details how to respond to the incident and the sorts of things businesses need to consider. In this video we will look at how NIST SP 800-61 helps with a Cybersecurity Incident response.
The final phase of the NIST 800-61 lifecycle is lessons learned. In this video we will cover what are the main components of the lessons learned phase and how does the NIST SP-800-61 framework help you define your processes.
The industry recognised standard on document management is the ISO 19475:2021 standard. In this video we will look at what the ISO 19475 standard is and why it’s important.
In this video we will look at what a good document management system should look like with consistency of meta data, managed storage location, and tracking of versions.
Once documents are created and stored in a system it is important to maintain the content within the documents and to ensure all copies of the document are up to date.
This will cover how to define a major incident and what thresholds should be required before declaring a major incident. We will also look at what needs to be in place before a major incident is declared and why preparation is so important.
In this video we will look at what we need to consider when documenting what defines a major incident and what thresholds must be met to trigger a major incident process.
When time is critical, knowing who is responsible for what before a major incident is critical to ensure everyone involved knows their role and who’s responsible for what part of the process. In this video we will define the role required and how to ensure everyone is aware of who owns those roles.
Once we know what triggers a major incident and who is responsible for the major roles, what steps need to be taken to action this response plan. We will define what that process looks like, what workflows we can create, and what tools can help us.
No two organisations will have the same processes. Some will be more complex than others and some will be more automated than others, but all will follow the similar steps to identify and respond to a Major Incident. In this video we will look at the sorts of questions to ask and the sorts of information you will need to plan for in the implementation phase of your plan.
Once a major incident is in full swing, it seems impossible to know how you need to respond until you are in the thick of it and you know what’s happening. However, there are some common tasks that are needed regardless of the incident type or the system affected. In this video we will take a look at how we can plan for our response during the incident. This will cover containment, eradication, and recovery
Once we get to the lessons learned phase you might think that the workload starts to back off and we can go back to our day-to-day work, but the truth is that there is still a lot of work to do. In this video we will look at the components we need to plan out the lessons learned phase of our incident response plan and what are the key steps to ensure the next major incident works better and is resolved faster than the last one.
What are the true costs of a Cyber-attack and how can good incident management reduce that cost
What are the non-monetary impacts on businesses that do not have an incident management process in place?
What is the ROI on investments made in securing an organization’s digital infrastructure
In the final, we will take a look at how to implement the Cyber Incident response plan in the real world. From training staff, to running simulated attacks to test the process, this module will take all the theory we have discussed and have it up and running in the real world.
During a major incident processes and decisions can be made rapidly and every second counts. Making the process available to all the right employees and in the right formats is critical to ensure the documentation is easy to find and simple to follow in a time of crisis.
For any documented process to be effective, everyone who may use the process should be fully aware of what the process is, where it is documented, and how it operates. In this lesson we will look at how to train support staff on a documented major incident process.
Documenting the process is the first step in implementing a new critical business process, the next and arguably more important step is training staff on the use of the process. This lesson will look at the importance of training and how to maintain training over time.
Critical Concepts in Incident Response Frameworks empowers cybersecurity professionals with the essential skills to effectively detect, contain, and recover from cyber incidents. This specialised course provides a structured approach to developing incident response plans that minimise the impact of attacks, ensure business continuity, and strengthen organisational resilience.
Rooted in globally recognised frameworks like NIST, SANS, and ISO 19475, the course offers a seamless blend of theoretical knowledge and practical application. By integrating cybersecurity best practices, learners will gain the tools needed to transform these practices into actionable, results-driven workflows for defense against evolving cyber threats.
Explore the complete incident lifecycle, from preparation and identification to eradication and recovery. You will learn to develop response playbooks, coordinate cross-functional teams, and align incident response processes within existing IT Service Management (ITSM) and cybersecurity frameworks. The course also covers emerging threats, including ransomware, phishing, insider threats, and data breaches, ensuring you're equipped to respond to the latest challenges in cybersecurity.
Key components of the course include making rapid decisions under pressure, crafting effective communication strategies, and ensuring regulatory compliance. You’ll gain the confidence to lead cyber incident response operations, minimising damage and mitigating risks.
With interactive simulations and real-world case studies, you’ll engage in hands-on exercises that sharpen both your technical and strategic thinking. By the course's end, you will have a portfolio of actionable incident response plans and recovery strategies that you can apply directly to your organisation.
Whether you’re an aspiring cybersecurity analyst, an IT manager, or part of a security operations team, this specialisation equips you with the frameworks, tools, and mindset to lead incident response with clarity and confidence in today’s ever-evolving digital battlefield.