Incident response capacity review

What is the aim?

To help the country assess the development needs for its national incident response capability at a deeper level than is provided by a national cyber capacity assessment.

Why do it?

It is not essential to do this as part of the strategy process, but for a country with low national incident response capability it can be helpful to conduct this review while preparing for drafting the strategy, because one of the key questions for the strategy may be whether the country wants a national CSIRT and, if it does, which ministry or organization should be responsible for it.

What are typical outputs?

A report on the current national incident response capabilities with recommendations for improvements.

How is it delivered?

A small team of international experts will conduct one or two short visits to interview key decision makers, officials and other relevant stakeholders.They will then write a report.

How easily can a country do it themselves?

The interviewing and report writing process could easily be conducted by a government team. The added value of using international experts is that they can provide advice during the process and in their report, based on experience working with many countries on setting up or strengthening national incident response capabilities. A report from an international organization may also help raise the profile of the issue locally. It may also avoid delays if there is no agreed lead ministry/organization to write the report.

What good practice guidance is available?

GFCE WG B Lessons Learned on Cyber Incident Management Capacity Building. Three useful reference docs are mentioned in the Case Study. Others are available on the Cybil Portal.

  • Experienced auditors must be involved for the best assessment outcomes.
  • Focus should be on measurable results and outcome-driven approach, i.e. roadmap activities must be actionable and with defined measurable results.
  • Assessments must be paired with budgets and human resources available for the implementation of improvements.


Usually starts from $25k and up to $75k USD depending on scope and if travel is necessary. 


Once a government has requested a review, there is normally one month to prepare for on-site consultations, one week to run the consultations and then one month for a report writing and finalization with the government.

In 2019, the Inter-American Development Bank (IDB) launched a project to support Ecuador’s national cybersecurity policy formationas part of a wider aim of increasing policy makers’ holistic understanding of cybersecurity in Latin America and the Caribbean. NRD Cyber Security was selected to implement this project and to support the formation of Ecuador’s national cybersecurity policy by:

  • Assessing the current situation, gaps and challenges in cybersecurity in Ecuador;
  • Planning specific improvements to the government’s cybersecurity readiness; and
  • Supporting the National Cybersecurity Strategy formation process. 

One of their first steps was to conduct a national incident response capacity review to provide tailored recommendations as to the direction in which Ecuador’s incident response capacity should evolve.

Two NRD Cyber Security experts visited Quito and over four days held consultations with Ecuadorian public, private and academic incident response organizations. The aim of the consultations was to identify maturity gaps in handling cyber incidents Ecuador, the most relevant services needed to improve the security of government services, and what capabilities and technologies would ensure proper implementation of those services, and to assess whether the legal, organizational and operational environment would ensure proper enhancement of incident response capacities. The experts used three specific methodologies to identify cyber-incident response maturity and capability gaps:

  • the SIM3 methodology was used to identify maturity gaps in terms of the national incident response team organization, staffing, tools and processes;
  • the FIRST.Org Service Framework was used to help identify additional potential services that Ecuador’s national incident response team should provide; and
  • The SOC-CMM methodology was used to prioritize Ecuador’s government incident response services and technologies needed to implement required services. 

As a result of consultations, NRD Cyber Security experts drafted a report for the government of Ecuador with the assessment of the current cyber incident response capacities in Ecuador at national, governmental, sector and company level. They also provided recommendations for how government incident response capacity could be enhanced, building on capacities that they already have. 

The cyber incident response capacity assessments and recommendations were integrated into the cybersecurity improvement plan for Ecuador. A separate roadmap for establishing a government Security Operations Centre (SOC) was prepared.