A practical resource for responding to major cyber incidents.
Introduction
This is a tool designed to support councils through the early stages of responding to a serious cyber incident. The guidance helps councils to anticipate the likely challenges they will face, find support and authoritative information, and chart their course through to a sustainable recovery.
The grab bag does not replace your council’s pre-existing Business Continuity Plans, Disaster Recovery Plans, or Emergency Plans. It should be used alongside those to guide you through the initial weeks of your cyber incident response. For further guidance and templates for these plans, visit the LGA’s cybersecurity blueprint series.
The guidance is organised across eight themes which will apply across your response to a cyber incident. The grab bag also includes service specific guidance which provides more detailed advice for critical services.
- Healthy teaming: the steps you will take to ensure that you have the right people assigned to your response, effective coordination and a sustainable pace.
- Coordinating with central government and law enforcement: guidance on how to access support from central government, NCSC, NCA and other partners across government.
- Informing and supporting: advice to support your communications, engagement and work to build trust with residents, businesses, partners and colleagues.
- Delivering your services: guidance to support the deployment of your Business Continuity Plans and adapting them as the situation evolves.
- Safely restoring technology and systems: advice on how to ensure that your disaster recovery and system restoration work is safe, secure and helping you act strategically to enhance your overall cyber resilience.
- Protecting data: the measures needed to mitigate risks to personal and other sensitive data, and to ensure that you are complying with your responsibilities under the Data Protection Act.
- Working with elected members: coordination with elected members, including political leadership and other frontline councillors.
- How to make sure your incident plan reflects reality: guidance for managing a cyber incident when organisational complexity or change affects ownership, roles or decision making (for example, Local Government Reorganisation, political change, or shared services).
- Service specific guidance: guidance for specific services, where incidents create unique risks or challenges (for example, adult and children's social care).
Stages of your response
The grab bag is organised across four initial stages of your response to a cyber incident. These do not have exact timings, as the nature of any individual attack will vary, but they broadly reflect how a response evolves – from the initial hours, through the first days and weeks, and into longer term recovery.
The stages reflect the initial intensity and uncertainty that is typical following a cyber incident. They develop in line with the pace of your response, as more information becomes available and your plans progress.
The grab bag combines key strategic actions with learnings from other incidents to help you prioritise, coordinate and sustain your response.
Stage one: confirming the need to act (initial hours)
In the initial stages of a cyber incident there will be limited information, high pressure and a need to ensure that your first steps set you up for a successful response and recovery.
The guidance provided for this stage is designed to help you establish a clearer picture of the situation, take steps to alert relevant authorities and partners, connect with support, and prepare to mobilise your response.
Notification to government, law enforcement and partners
At this stage, you should notify the relevant authorities and partners as soon as possible.
- Report the incident to the NCSC, using their report a cyber incident tool
- MHCLG will be notified via the NSSC report but you can also contact them directly at [email protected]
- If the incident involves a data breach (including unavailability of personal data), use the guidance provided by the information commissioner (ICO) to determine whether they need to be notified
- Report the incident to the police as a cyber crime using the Report Fraud service
- Consider contacting your local Warning, Advice and Reporting Point (WARP) for local security mutual support.
You can use the government's where to report a cyber incident tool to help identify the right organisations to contact.
Refer to the coordinating with central government and law enforcement agencies section for more information.
Stage two: taking your crucial first steps (days)
Once you have a clearer understanding of the incident and the steps you need to take, you will start to mobilise your recovery, while maintaining delivery of essential services.
The guidance provided for this stage is designed to help you make sure that your response is covering the range of actions needed and to make sure that you establish sustainable ways of working that will help you through the work that follows.
Depending on the severity and nature of incident, you are likely to be in contact with your Regional Organised Cyber Crime Unit (ROCU) or local police force who will support your investigations.
If not engaged already, you should also engage with NCSC, MHCLG and other relevant government departments, depending on the nature and impacts of your cyber incident. Be prepared to engage with further relevant government departments, who may contact you directly or through the NCSC.
Stage three: building confidence through your response (weeks)
After the response efforts have mobilised and the recovery work is underway, you will be closely monitoring progress, making sure that you maintain effective communications and responding to new information and events as they arise.
The guidance in this stage will help you plot your path through what is likely to be a complex recovery and build your confidence in the work ahead.
At this stage, regular communication and reporting cadences with relevant government departments and agencies should be established. This will differ depending on the type of incident and the severity of its impacts.
Stage four: designing your recovery path (months)
At this final stage of the grab bag, you will have an established response pace and the initial intensity of work is likely to have reduced (at least to some extent). You will also need to maintain focus and energy levels across your teams so that you are able to sustain the recovery work.
As you begin to plan your longer-term recovery path, this section provides considerations on how to sustain the crisis response team’s capacity and capability overtime, how to build assurance and trust with residents, partners and key stakeholders, and to safely bring your services back to more normal operation.
At this stage, it should be continually reviewed and evaluated whether further public bodies, government departments or regulators need to be engaged or re-engaged as the situation develops.
You should expect communication to scale up or down with these partners dependent on incident management, confidence in response efforts and more that is learnt about the incident’s impacts.
About the cyber grab bag
The LGA, with support from MHCLG’s Local Digital Team has worked with councils and a wide range of partners, including the Information Commissioner’s Officer and delivery partner, Public Digital to produce this cyber incident grab bag. The grab bag is also based on National Cyber Security Centre (NCSC) guidance.
The grab bag is actively maintained and this version was last updated on 27 April 2026.
To provide feedback on the resource, or to reach out to the team, please email [email protected].