Skip to main content
Cyber Security Hub

Incident response process

Triage and analysis

Triage is the first step in managing a cyber security incident. Its purpose is to quickly assess the nature, scope and potential impact of an incident to determine the appropriate response and escalation path.

Analysis is the ongoing information collection and assessment that may be reviewed throughout the incident process.

After the quick assessment in the detection and reporting stage, you now need to collect and analyse further information.

Triage helps to:

  • distinguish between routine IT issues and genuine cyber security incidents
  • classify the type of incident where possible, for example phishing, ransomware or data breach
  • prioritise the response based on urgency and potential impact
  • identify if the incident requires immediate action
  • activate the plan and the most appropriate playbook if possible

You should treat every unusual event as a potential cyber security incident until assessed.

Triage questions

You should ask the following triage questions:

  1. What was observed or reported? This helps understand the symptom: for example, a pop-up, missing files or suspicious emails
  2. When did it occur? This helps to determine urgency and scope
  3. Who is affected? This helps identify scope – is it one user, multiple users, or the whole system?
  4. What systems or data are involved? Are sensitive information or critical services at risk?
  5. Is it a known threat type? Begin classifying the incident so you can follow appropriate guidance

Use your answers to determine if the issue is a:

  • cyber attack
  • accident
  • IT issue
  • false alarm

Identify the incident type

Identifying an incident type is important but may need to be deferred or revised at a later stage. Conduct a root-cause analysis if you have access to an IT support team with cyber security expertise.

This is a process used to identify the root causes of security incidents, looking beyond the immediate symptoms. It aims to uncover the vulnerabilities and underlying issues that led to a breach or attack, allowing for targeted remediation and preventing future incidents. Schools without extensive IT support or other cyber security resources may still be able to do some investigation. You also have the option to bring in external parties to help, such as support available through the RPA.

Severity rating (initial)

Assign a priority level based on impact and urgency. This will inform escalation and helps activate the correct response team or external partner, such as your local authority, IT provider or NCSC.

Action decision and next steps

If you confirm an incident, carry out your cyber response plan and follow the relevant playbook (if applicable) to begin responding.

If it’s unclear if you have an incident, SLT digital lead should escalate to SLT and initiate further investigation by the cyber recovery team, particularly IT support.

If it is a high severity incident, it may be necessary and appropriate to bring in external support.

If it is not a security incident, you should record and close with appropriate notes.

Triage decisions should always be logged, even when the event is deemed not to be an incident. This will help support future improvements and audits.

Who does what at this stage

  • SLT digital lead coordinates initial triage, decides on escalation
  • IT support staff provide technical evidence and system logs
  • SLT, headteacher or principal are informed about high-severity incidents
  • data protection officer assesses data protection implications

All roles should be given instructions and have access to the cyber response plan, even if IT systems are down.


Page last reviewed
15 May 2026