Blog

Government Cyber Security Policy: Cyber Incident Exercising – What You Need to Know

By Grace Perry 27 January 2026 5 min read

Cyber threats continue to pose significant risks to government organisations, highlighting the importance of effective preparedness to mitigate potential impacts. To enhance resilience throughout the public sector, the UK Government has implemented a requirement for Cyber Incident Exercising as part of the Government Cyber Security Policy. This blog summarises the policy’s scope, key requirements, and steps government organisations should take to prepare.

What is Cyber Incident Exercising?

As part of the Government’s Cyber Security Policy, the cyber incident exercising (CIE) policy has been identified as a specific requirement to facilitate the exercising of an organisation’s cyber incident response plan (CIRP).

The policy provides clear guidance for government departments and public organisations on how to plan, conduct and evaluate cyber incident exercises. These exercises aim to simulate real-world cyber attacks in a scenario-based format, to establish the organisation’s ability to respond effectively and to ensure that critical services remain operational during a cyber incident.

The policy aims to:

Improve organisational readiness for cyber incidents
Identify gaps in incident response plans.
Ensure effective communication across critical business areas to ensure business continuity.
Foster collaboration between departments and agencies during cyber emergencies.

Incident preparedness is essential for maintaining operational resilience both during and following a cyber attack. Incorporating routine exercises into security strategies enables organisations to foster a culture of resilience and continuous improvement.

Why is Cyber Incident Exercising Important?

Preparation is essential. It is widely recognised that the occurrence of a cyber incident is a matter of when, not if. Organisations that are well-prepared demonstrate greater resilience in their response efforts. Regular cyber incident exercises enable organisations to better understand their environment, assess their incident response capabilities, and ensure the effectiveness of communication plans. By implementing this policy, government and public sector entities can enhance their resilience, decrease recovery times, and sustain business continuity during cyber crises.

Who Does Cyber Incident Exercises Apply To?

The policy applies to:

Lead Government Departments (LGDs) – Departments responsible for national security and critical services.
Arm’s Length Bodies (ALBs) – Public organisations operating independently but funded by government.
Other public sector organisations – Including agencies and bodies that deliver essential services.

In summary, any government entity that handles sensitive data or provides critical services falls under this policy’s remit. However, it is best practice for all organisations to ensure incident preparedness and regular exercising provides the opportunity to test, evaluate and improve response to cyber incidents and further enhance their cyber incident response plans.

Key Requirements of Cyber Incident Exercising

The policy outlines several core requirements for compliance:

Regular Cyber Incident Exercises
Organisations must exercise their CIRP at least annually to test their incident response capabilities and make improvements where necessary.
Representation of Roles and Responsibilities
All stakeholders with business continuity responsibilities must be appropriately represented during exercises.
Continuous Improvement
Exercises should incorporate lessons learned from previous incidents, any changes to risk and threat landscape and critical business changes. Performance must be reviewed and CIRPs updated.
Alignment with Risk Tolerance
Exercises should reflect the organisation’s specific risk appetite and threat landscape.
Integration with Existing Governance
Exercises must align with broader business continuity and crisis management frameworks.
Compliance with the Cyber Assessment Framework (CAF)
Cyber incident exercising builds on what is in the Cyber Assessment Framework to enhance cyber resilience and incident preparedness.

How Government Organisations Can Prepare for CIE

To prepare for CIE, government organisations should:

Develop an Exercising Strategy
Create a structured plan that defines the scope, frequency, and objectives of cyber incident exercises.
Develop Incident Response Plans
A cyber incident response plan must be developed prior to exercising.
Assess Key Assets and Associated Risks
Evaluate which systems and services present the greatest vulnerabilities and establish an appropriate risk tolerance.
Engage Leadership and Relevant Stakeholders
It is crucial that senior leaders actively support and promote the implementation of the exercise program.
Provide Staff Training and Build Positive Culture
Ensure that all personnel are fully informed of their responsibilities in the event of a cyber incident and provide appropriate training.
Collaborate Across Departments
Coordination with other agencies is essential for effective response and support improvements across government.
Leverage Supporting Guidance and Standards
Use frameworks such as the Cyber Assessment Framework to benchmark readiness.

How Bridewell Can Support

Bridewell’s NCSC CIR accredited Incident Response Team can support organisations for cyber incident exercising to meet the policy requirements.

Bridewell’s tailored Cyber Incident Exercising service includes: