Skip to main content
Cyber Security Hub

Incident response process

Containment

Containment aims to:

  • limit the spread of the incident to other systems, users, or networks
  • preserve evidence for investigation and legal or regulatory reporting
  • minimise disruption to critical services, especially safeguarding, learning platforms and MIS
  • protect sensitive data, particularly learner and staff information

Containment must be prompt but measured. It’s important to balance the speed of containment with potential harm from acting too quickly, like losing forensic evidence or unnecessarily shutting down services.

Containment should involve:

  • IT support
  • SLT digital lead - for communication, escalation, and stakeholder management
  • relevant external support, such as the RPA

Containment procedures

These are common containment measures, but details will depend on the technical architecture and design of your IT systems.

These actions are likely to be delegated by the SLT digital lead to IT support or other specialists.

Step 1: Identify the affected systems and scope

For example:

  • use logs, alerts, user reports, or information from external parties
  • engage with service providers if cloud-based systems are involved
  • record impacted systems
  • tag impacted systems clearly in incident tracking tools if available

Step 2: Isolate affected systems or accounts

For example:

  • remove devices from the network, disconnecting Wi-Fi and unplugging ethernet
  • disable compromised user accounts in Active Directory / cloud platforms
  • revoke API keys or access tokens suspected of compromise

Step 3: Prevent further spread

For example:

  • apply firewall rules to block suspect IPs or ports
  • disable infected services or applications temporarily
  • suspend automatic syncs or backups if they might spread infection, such as ransomware

Step 4: Preserve evidence for investigation

For example:

  • capture volatile data such as logs and memory snapshots before restarting systems
  • save relevant emails, alerts, or error messages
  • label and store any devices removed from service, including write-protect storage if applicable

Step 5: Communicate internally and externally

Alert the SLT digital lead and cyber recovery team of the containment actions taken.

Prepare updates for SLT and external stakeholders (such as the local authority, DfE, NCSC and the police if required).

You can use our communication templates to help.

Do not:

  • shut down affected systems straight away unless you need to prevent immediate critical impact

  • wipe or reimage systems before you have captured evidence

  • discuss containment actions with unauthorised staff or third parties

Only do these actions if a specialist or playbook tell you to.

Record keeping

Use our incident recovery event recording form to document all events throughout your cyber response. Make sure to record:

  • systems and users affected
  • time stamp of when containment was initiated and completed
  • specific actions taken and by who, this includes commands used, services stopped or locking accounts
  • any evidence preserved and how

You will need this information later to analyse the incident.


Page last reviewed
13 May 2026