We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Public sector cyber incident co-ordination procedure

Published
3 January 2025
From
Director of Digital
Directorate
Digital Directorate
Topic
Communities and third sector, Public safety and emergencies, Public sector
ISBN
9781836911883

Outlines the procedures for notifying and coordinating responses to notifiable cyber incidents affecting Scotland’s public services. It defines the agreed-upon cyber incident notification process adopted by the Scottish public sector since 2018.

View supporting documents Supporting documents

Section C – The Notification and Coordination Process

The “Report It Once and Follow Up” Procedure

12. The procedure seeks to minimise reporting burdens on Scottish public sector organisations who are managing notifiable cyber incidents. The Scottish Government has therefore agreed with the NCSC, Police Scotland and other key partners that a “Report it Once and Follow Up” approach may be adopted by all Scottish public sector organisations.

13. The procedure that should be adopted is as follows:

  • Step 1: Assess And Review Cyber Incidents: All Scottish public sector organisations should assess cyber incidents against the definition of a Notifiable Scottish Public Sector Cyber Incident set out in Section B of this document. If incidents do not initially meet any aspect of this definition, the thresholds set out in the definition should be kept under review as they develop and potentially escalate.
  • Step 2: Report It Once: Scottish public sector organisations who are impacted by notifiable cyber incidents should complete the notifiable cyber incident reporting form available in Annex A as soon as possible and, if email services are available, send the completed form simultaneously to the addresses outlined on the form.

In situations where email access is not available, Scottish public sector organisations should go straight to the “follow it up” procedure (Step 3) below, and make a verbal report to SG SC3 or Police Scotland. This will then be shared with other central coordinating bodies as appropriate.

  • Step 3: Follow It Up: To ensure that the initial report has been received and is being actioned, Scottish public sector organisations should follow up their initial communication by calling at least one of the central coordinating bodies on the following phone numbers, available 24/7.

The Scottish Cyber Coordination Centre (SC3): 0300 244 9 7 00 (SC3 Duty Officer)

Police Scotland: Phone 101 and ask for the Cyber Unit On-call Officer

NCSC Incidents Team 03000 200 973

It will then be the responsibility of the central coordinating body contacted via the “follow it up” procedure to ensure that other central coordinating bodies are aware, and to activate the assessment and triage stage below.

  • Step 4: Assessment And Triage: Once a notification of a notifiable cyber incident has been received, the NCSC & Police Scotland will lead on assessing and triaging the incident and identifying the Incident matrix Score

The NCSC may liaise directly with the affected Scottish public body to undertake this assessment. The NCSC will also coordinate with the SC3, Police Scotland. SC3 will liaise with SGOR (if relevant)

It will be for the Scottish Government to decide whether SGOR should be activated at any point in this process.

The assessment and triage process will seek to establish the following key points:

i. whether the incident qualifies as a ‘notifiable cyber incident’

ii. Incident Classification that meets the NCSC Incident matrix score (described on page 8)

iii. based on (i) and (ii), which organisation(s) will lead on coordinating which activity, or providing which support, in response to the incident (see below).

  • Step 5: Coordinated Response: Following assessment and triage, central coordinating bodies will work as appropriate with the individual public sector organisation(s) affected to ensure appropriate action is taken in support of the practical incident response. Key roles will depend on decisions taken under step 3, above, and in particular whether the incident results in activation of the NCSC managed incident procedure or SGOR. However, key activities undertaken by the central coordinating bodies will typically include:
    • Gathering information on the nature of the incident and whether/how Scottish public services are affected, supporting cross-government and cross-sectoral coordination and response (including via SGOR and COBR structures), briefing Ministers, and providing advice and support to the wider public if there are wider impacts.
    • Investigating incidents, including by collecting and analysing technical information.
    • Providing direct advice and guidance to affected organisations on how to respond to, mitigate, or recover from, a specific cyber-attack.
    • Sharing threat intelligence and guidance with the wider public, private or third sectors.
    • Coordinating media lines or crisis communications with affected bodies.
    • Supporting a lessons identified process post-incident.

14. A flow chart of the Report It Once and Follow Up process is set out on the following page.

Notifiable Cyber Incident Process Map

Contact

Email: SC3@gov.scot

Back to top