Cyber incident grab bag: Ensuring your incident response reflects reality
Use this module if your cyber incident involves unclear ownership, or complex organisational arrangements.
Managing a cyber incident during organisational change and complexity
Use this module if your incident involves unclear ownership, or complex organisational arrangements. This often arises when councils operate across shared services, partners or suppliers, or where roles, leadership or governance arrangements are changing and not fully established.
What to expect
In these situations, your incident response may not fail, but it will be harder to coordinate and control.
You should expect:
unclear or contested ownership of systems, services, or decisions
fragmented or uncertain decision-making, particularly where leadership or roles are changing
gaps in knowledge, where key information sits with individuals or suppliers
competing priorities across services, partners, political or organisational leadership
less ability to act quickly due to the need for more complex coordination.
Do not assume your existing plans reflect how your organisation actually operates. Historic arrangements and decisions may still shape how systems and services work, even if they are not well understood or where organisational memory is less strong.
Typical signs this is affecting your response
You may be experiencing this if:
it is unclear who owns a system, service, or decision
different teams, partners, or leaders are giving conflicting direction
decision-making authority or escalation routes are unclear or still evolving
you are dependent on specific individuals to understand systems or processes
plans or documentation assume structures that don’t reflect reality (for example, unclear boundaries, or reliance on manual workarounds)
you discover unknown or ‘off the radar’ systems, contracts or dependencies during the incident
multiple stakeholders are asserting legitimate but competing priorities during the response.
Recognising these patterns early can help you respond more effectively.
Your key strategic actions
Do not assume that long standing arrangements are well understood or documented. Historic decisions, informal workarounds, and legacy arrangements may still shape how your organisation operates – you will need to actively establish clarity as you respond.
Focus on the following critical actions throughout your response and recovery. (Note: these are a strategic guide, not an exhaustive list of every action you should take.)
Map ownership and dependencies. Identify which services, systems, and contracts are in scope, where they cut across teams, partners, and organisations, and who is responsible.
Clarify ownership and decision making early. Establish who has authority to make operational and risk decisions during the incident. Put in place strategic coordination arrangements, for example, joint teams to manage alignment of your communications.
Surface and test assumptions about responsibilities, data access and decision rights early, and check this directly with service owners, suppliers, and technical teams.
Do not delay action while seeking perfect clarity. Work on the best available information and update your understanding as the situation develops.
Empower rapid technical action where needed to protect your systems and data. Ensure technical and security teams have the authority to isolate systems or take defensive actions rapidly, including outside normal working hours.
Use clear interim assumptions where needed. Where ownership or responsibilities are unclear, define and share a working position, and update it as understanding improves. Where decisions must be made with incomplete information, proceed based on clear interim assumptions, and revisit these as your understanding improves.
Engage shared service partners, suppliers, and neighbouring authorities early where dependencies exist.
Document decisions, trade-offs, and uncertainties as part of the incident record
Pay early attention to culture, particularly in newly formed or changing organisations. Building trust, openness, and shared purpose will support a more effective response and recovery.
Learning from previous incidents
Other councils who have experienced serious cyber incidents have found that:
historic arrangements (for example, previous shared services or legacy integrations) can create links and connections between councils and partners that are not well understood or documented
explicit decisions are safer than assumed ones, not making timely decisions can make the challenges harder
transparency with partners, regulators and government builds confidence, especially when certainty is limited
aligning communications across affected councils can be challenging, especially where the impacts of the incident vary between the councils
prioritisation for response and recovery is challenging when working across organisational boundaries
major organisation changes can mean that key people have left the council and that culture is more sensitive to the pressures of a serious incident.
Guidance across the different time stages
At this stage, challenges are likely to include incomplete information about the incident and impacts, and potentially also misplaced confidence in how the organisation operates.
Focus on working in the open to surface and manage uncertainty, not just establishing technical facts.
Assume complexity will challenge your situational awareness and decision making. Use the guidance in the Cyber Grab Bag core modules to help you identify where you will need to prioritise your focus.
Consider how complex context will impact on your Gold/strategic and Silver/tactical arrangements – for example:
do you need to establish parallel arrangements to ensure effective coordination?
do your coordination groups include all the partners needed (for example, where services are delivered across more than one organisation)?
Take early steps to set up arrangements to coordinate your communications, use the Informing and Supporting guidance in the Cyber Grab Bag to help you anticipate where there are likely to be the most significant challenges.
If the impacts of the cyber incident will affect multiple organisations (for example, where the incident affects shared service arrangements) take early action to engage elected Members. Use Working with Elected Members section in the Grab Bag guidance to support this.
The main risk at this stage is not lack of effort, but fragmentation – parallel recovery activity, competing priorities, or unspoken assumptions about who is responsible for what.
Your response and recovery will need early focus to understand where using your usual business continuity and recovery plans is most likely to need additional attention and thought. This will benefit from dedicated focus, as attention will naturally be on the most immediately obvious impacts of the incident.
Bring senior leadership into the response early. For example, bring together senior leaders to make sure that they have a clear picture of the current information, priorities and how the response and recovery will be coordinated.
Assign suitably experienced members of your teams to developing a rapid impact and risk assessment that will help you assess where additional steps will be needed as part of your response and recovery.
Consider how both current and historic arrangements may impact on your response, such as legacy shared services, common infrastructure, or transitional arrangements such as those in place for Local Government Reorganisation.
If you are operating within or alongside a shadow authority, take early steps to clarify cyber security responsibilities, decision-making authority, and accountability across existing organisations and the shadow structure. Do not assume these are understood.
Ensure that your Monitoring Officer is closely involved with your coordination arrangements and the planning of your response so they can help you ensure that decision making authority and governance requirements are clear.
Look to recent examples where the organisation has successfully operated under conditions of complexity and high pressure (for example, during COVID-19) to identify ways of simplifying governance, clarifying delegation, and accelerating decision-making where needed.
Monitor how your Gold/strategic and Silver/tactical arrangements are working, and adjust if required.
Take a consistent approach to information sharing. Agree who is responsible for external communications, how messages will be coordinated, and how consistency will be maintained where multiple councils are communicating, particularly during LGR or other transition periods.
Confidence comes from consistency, clarity, and credibility over time, not just speed. This is often where progress can stall if complexity is not actively managed, even if technical recovery is moving forward.
Alongside the critical technical and business continuity work, you should focus on the rhythms of work and coordination to ensure that these are continuing to support effective alignment across your organisation and other partners that you are needing to work closely with.
If the incident has impacted on multiple organisations, ensure that your Gold/strategic and Silver/tactical arrangements have embedded successfully and include clear, regular coordination across the partners.
Review your response and recovery plans and update them to reflect the impact and risk assessment that you carried out in Stage 2.
Assign suitably experienced members of your team to assess the potential impacts of the incident on your medium and longer-term strategic plans. For example, potential impacts on timings for implementation of organisational changes, and use this to identify where additional focus, resources or changes to plans may be required.
Identify where closer long-term engagement with external partners and other stakeholders might be required to support you in managing the medium and longer-term implications. This might include closer coordination with central Government or other agencies.
Recovery is a whole-organisation effort. This stage determines whether the council emerges with clearer ownership, stronger governance, and reduced dependency on informal arrangements, or whether the same complexity is re-established under greater time pressure.
As you develop your longer-term recovery path, consider how you can use the recovery work to take you towards your future strategic direction.
Where possible, recover to where you want to be, not where you were. For example, using modern, modular approaches.
Build greater organisational flexibility and use learning to develop governance that enables future transformation.
Plan for long-term sustainability and maintain focus, morale and momentum to combat fatigue.
Accept that no single static plan will cover every scenario; adaptability is key.
In line with the guidance in the Healthy Teaming section of the Cyber Grab Bag, it is essential to plan for long-term sustainability during the recovery work. This is especially important in complex and changing environments, where people at all levels can become fatigued by the demands of the recovery work. Make sure that you use the Healthy Teaming advice to ensure that you can maintain focus, morale and momentum.