Cyber Incident Response Planner

Your readiness summary

Priority actions

Plan builder

Work through each section to build your school's Cyber Incident Response Plan. You can save your progress to a file at any time and continue later. Empty fields will appear as "to be completed" in the final plan — useful as a working draft.

Changelog

What's changed in the Cyber Incident Response Planner. Most recent first.

Version 1.7.0 — 10 May 2026

Asset register & Business Impact Analysis, SaaS-supplier-incident playbook, annual cyber calendar, NCSC Cyber Assessment Framework (CAF) alignment, and a security hardening pass. The biggest single feature release since launch — closes the largest gap against sector frameworks (no asset register before; that's table-stakes for NCSC, CAF and RPA), adds a playbook for the realistic Tuesday-morning case where the school's MIS or finance supplier has a breach, and gives schools a single-page rhythm to follow between incidents.

Asset register & Business Impact Analysis (new Plan Builder section 8)

• New "Critical systems & impact" section between Communications and Recovery in the Plan Builder. Captures the school's asset register and a quick BIA in one place.
• Pre-populated rows for the most common school systems: MIS, email, safeguarding, finance/payroll, parent comms/payments, network & wifi, telephony. User adds supplier name, what data it holds, hosting type (SaaS / on-prem / hybrid), recovery time objective (<1h to >1w), recovery priority (1–4), and supplier incident contact.
• SaaS data-controller framing — the section opens with a callout reminding users that even when a SaaS supplier (Arbor, SIMS, Bromcom, ParentPay, CPOMS, M365, Google Workspace) hosts the data, the school remains the data controller under UK GDPR. The asset register exists partly to make this explicit, system-by-system.
• BIA narrative textarea — a short story for governors and insurers explaining how extended loss of these systems would affect teaching, finance, safeguarding and reputation.
• Plan output renders as section 9 with a structured asset-register table plus the BIA narrative; downstream sections renumbered (Recovery 9→10, Post-incident review 10→11, Plan maintenance 11→12, Mapping to standards 12→13).
• Old "Critical systems inventory" subsection in Recovery replaced with a callout pointing users to the new richer Assets section — old saved JSON files still load cleanly via schema-strict deepMergeSchema.
• "Last data export held by school" field added to every asset row. Captures the date of the school's most recent off-supplier copy of the data — critical for SaaS-hosted systems where the school is the data controller but doesn't own the storage. Renders as a column in the Plan output's asset register table. Most schools never test this until it's too late.
• Termly data-export task added to the annual cyber calendar (section 12.1) — "request and store off-supplier data export from each SaaS-hosted critical system and update the asset register". Owner is IT lead + DPO since this is a UK GDPR data-controller responsibility.
• Homepage callout on Cloud MIS / SaaS data-controller framing. Sits directly below the Police CyberAlarm callout, with the same compact-expandable pattern. Names the common school MIS products (Arbor, SIMS Cloud, Bromcom, iSAMS, Engage, ScholarPack) and pupil-data SaaS products (CPOMS, MyConcern, ParentPay, M365). Inline links jump to the asset register, SaaS supplier playbook and Tabletop F.

New tabletop scenario — cloud / ransomcloud (Example F)

• Sixth tabletop scenario added covering an MFA-fatigue attack that escalates into ransomcloud — OAuth consent phishing leading to mass file encryption via the Microsoft Graph API plus data exfiltration extortion. There's no server to take offline; recovery happens entirely cloud-side via SharePoint version history, OneDrive recycle bin and Conditional Access policy tightening.
• Tests the new sections specifically — the asset register (where is M365 listed? what RTO?), the SaaS supplier playbook (Microsoft as data processor; school as data controller), the SaaS-data-controller framing under UK GDPR, parent comms when email is the compromised channel, and cloud retention windows that schools rarely test.

SaaS supplier incident playbook (new, 7th playbook)

• "SaaS supplier incident (Arbor / SIMS / Bromcom / ParentPay / CPOMS / M365 etc.)" — the realistic case where the school's data is held by a SaaS supplier and the supplier suffers the breach. Most schools assume "the supplier handles it"; under UK GDPR the school is the data controller and the 72-hour ICO clock falls on them, not the supplier. This playbook is the gap a DPO most often flags in a breach review.
• Whole-flow template covering: supplier verification (avoiding phishing-pretending-to-be-supplier), initial scoping of school's data affected, ICO notifiability assessment under Article 33, parent/staff notification under Article 34 (which the supplier's notification doesn't satisfy), exercising contractual right to a copy of the data, manual fallback for service degradation, and post-incident commercial review.
• Linked from the new Asset register — each system listed is implicitly an instance of this playbook's scope.

Annual cyber security calendar

• New subsection 12.1 in the printed plan — a six-row reference table showing daily / weekly / monthly / termly / annual / triggered activities with typical owners. The rhythm of activities that keeps the plan current and the school's cyber posture maintained between incidents.
• Static reference content — no input fields. Schools can mark up the printed copy with their own owners and dates.

NCSC Cyber Assessment Framework (CAF) alignment

• New CAF block on the About page Frameworks section — explains that schools aren't directly assessed under CAF (NIS Regulations don't apply to schools) but UK local authorities are increasingly piloting CAF as a voluntary cyber resilience baseline. Honest framing: the tool aligns with CAF Objectives A (Managing security risk — section 9 asset register), C (Detecting events — sections 4–6) and D (Minimising impact — sections 7–11). No claim of CAF compliance — that's an organisational assessment, not a tool stamp.
• CAF row added to the Plan output's standards-mapping table, alongside NCSC, DfE Standards 2030, RPA, Ofsted, UK GDPR, Cyber Essentials.

Security hardening — domain-abuse mitigation

• New SECURITY.md with full threat model, including the GitHub-Pages domain-abuse vector (someone spreading fake URLs of the form cmaddocks-uk.github.io/cyber-response/powerautomate/...). Documents what the tool defends against, what it doesn't, and what to do if a suspicious URL using this domain reaches you.
• New robots.txt disallows search-engine indexing of common abuse paths (/powerautomate/, /api/, /webhook/, /auth/, /payment/, etc.) so fake URLs don't get amplified by search results.
• 404 page already disclaims Power Automate / webhook / payment / OAuth endpoints by name — unchanged in this release but documented in SECURITY.md.
• No CSP changes. The tool's CSP was already default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'none'; — effectively a deny-by-default posture that any new attack surface would need to break first.

Why a minor version bump (v1.7.0): three substantial new features (Assets section, SaaS playbook, calendar) and a new framework alignment (CAF) plus security hardening. The biggest single release since launch — would be a major bump if this were a paid product, but the API and saved-plan format are backwards-compatible, so semver-minor is correct.

Version 1.6.0 — 8 May 2026

Word / LibreOffice export and a print-pagination overhaul. Two related improvements that landed together: a long-standing print bug where content was clipped at page boundaries, and a new export route for users who want to edit the generated documents in Word (or LibreOffice / OpenOffice / Google Docs) before printing.

Print pagination — root-cause fix

• Replaced the position:fixed footer band with @page margin boxes. The old footer sat at bottom:0 of the page area — but in CSS paged media, fixed elements don't reserve layout space, so content always overlapped the last few millimetres. The footer now lives in @bottom-left / @bottom-right margin boxes which are part of the @page margin itself, and content cannot bleed into them. The beforeprint handler injects a fresh <style> tag with the school name + doc name + URL + version baked into the margin-box content: properties.
• Stronger page-break rules. thead now glued to its first body row (was being orphaned at page bottoms — e.g. the Severity table on the Plan output). break-inside:avoid extended to all heading levels (was only h1–h4). orphans:3; widows:3 applied to paragraphs, list items and table cells to prevent stranded one- or two-line widows.
• Action Plan thead readable in print. The on-screen white-on-navy header was rendering white-on-white in PDFs because browsers strip backgrounds by default. Forced a light-grey background with dark text via print-color-adjust:exact — targets every descendant of thead so inline color:#fff on the row gets fully overridden.
• Governor Questions panel keeps its box across page breaks. The panel's blue-tinted background and border now print on continuation pages too, so items 4–12 stay visually inside the same panel as items 1–3.

Word / LibreOffice export

• New 📄 Export to Word button on Plan output, Governor Report, Action Plan and Tabletop Summary tabs.
• HTML-as-.doc approach. The export wraps the document HTML in MS-Office namespace declarations and serves it as application/msword. Opens cleanly in Microsoft Word, LibreOffice Writer, OpenOffice Writer and Google Docs as a fully editable document — users can fill in Owner / Target date / Status columns electronically, add their own notes, save as .docx or .odt.
• Zero dependencies, no CSP changes. Considered docx.js for true .docx output but rejected for the same reasons as jsPDF: ~150 KB of bundle, CSP relaxation, and we'd have to re-implement the print CSS as Word styling. The HTML-as-.doc route is good enough for the realistic use case (editing a school-specific plan) and ships in roughly 80 lines of vanilla JS.
• Sensible filenames. Auto-generated as {School Name} - {Doc Name} - {YYYY-MM-DD}.doc, with the school name sanitised to filesystem-safe characters.
• CSS variables resolved before serialisation. var(--navy) etc. are converted to literal hex values during export — Word's HTML renderer can't compute custom properties.

Why a minor version bump (v1.6.0): Word export is a substantial new feature, not a fix. The print pagination work is technically a defect fix (would normally be v1.5.1) but it ships in the same release because both touch the same area of the code — the print/output layer.

Version 1.5.0 — 8 May 2026

Cyber Essentials integration. The DfE Cyber Security Hub describes Cyber Essentials as a scheme designed "to prevent the most common internet-based cyber incidents." This release adds explainer content and a status field so schools can record their CE position alongside the response plan — CE is the prevention side; this tool covers the response side.

• "Beyond this tool: Cyber Essentials" card on the About page covering: what CE is, the five technical controls (firewalls, secure configuration, user access control, malware protection, security update management), CE vs CE Plus, the IASME assessment route, why it matters for UK schools (RPA, DfE Standards 2030, procurement), and where to start. Mirrors the DfE Hub's phrasing ("certification scheme created by the NCSC") for sector consistency.
• Cyber Essentials status field added to the Plan Builder → School details (dropdown: Not started / Working towards / Cyber Essentials / Cyber Essentials Plus). Surfaces in the printable plan output's header next to the other plan metadata.
• Cyber Essentials Plus 3-month deadline tracking. A new "CE certification date" field sits next to the status dropdown. When status is "Cyber Essentials" and a date is set, the plan output auto-calculates and surfaces the CE Plus deadline (cert date + 3 months) with a colour-coded urgency flag — green if comfortably ahead, amber under 4 weeks. Mirrors IASME's rule that CE Plus must be achieved within 3 months of CE certification on the same scope, otherwise the school must recertify CE first. The "Two tiers" panel on the About page now calls out this 3-month rule prominently.
• Annual renewal reminder. CE and CE Plus both expire 12 months after certification. The same date logic now also flags "annual renewal due [date] (X days remaining)" when the cert is approaching expiry — amber under 60 days, red under 28 days, and a stronger "renewal expired N days ago — recertify now" message once it's past the 12-month mark. Quiet otherwise, so it doesn't add noise outside the renewal window.
• Governor Report CE meta. The Governor / Trustee Report header now surfaces CE status (and any active deadline) alongside the readiness percentage — useful when governors are asking "are we Cyber Essentials yet?" at meetings, and as visible cyber-assurance evidence during inspection.
• State-aware Cyber Essentials governor question. The "Questions Governors Should Ask at the Next Meeting" panel now prepends a CE-specific assurance question whenever attention is warranted — tailored to the school's current state. Five branches: not-yet-certified ("clear plan and named owner?"), status-set-but-no-date ("how is the renewal cycle being tracked?"), lapsed certification ("why has it lapsed?"), renewal approaching within 60 days ("how is on-time renewal being assured?"), and the 3-month CE Plus window ("how is CE Plus being progressed?"). Stays silent when CE is comfortably in good standing — no noise.
• CE in suggested meeting minutes wording. The "For the meeting minutes" suggested wording now optionally mentions Cyber Essentials status (and cert date if recorded) when relevant — making CE governance evidence concrete in inspection-ready minute language.
• Homepage CE signposting. A new 🔐 Cyber Essentials ↗ link in the home page status bar (alongside DfE Standards / NCSC / DfE Cyber Hub), and a one-line mention in the frameworks-panel footer pointing readers to CE for "the prevention side" alongside the four mapped frameworks.
• Readiness check Q11 (MFA) tagged with CE — the only direct map between the existing readiness questions and the five CE controls (User access control). Honest minimal tagging: trying to force more CE tags onto incident-response questions would be misleading, since CE is preventative posture and the readiness check is response posture.
• New pill-ce framework badge style (cyan/teal). Used in readiness question framework tags. Click-through goes to the NCSC Cyber Essentials overview.
• No CSP changes required. All CE references are external <a href> links to NCSC, IASME and the DfE Cyber Security Hub.

Why a minor version bump (v1.5.0): this adds a new framework category alongside existing NCSC / DfE / RPA / Ofsted mappings. Honest scope: signposting + meta-field, not a full CE assessment tool — schools should use IASME's official questionnaire for the actual certification.

Version 1.4.0 — 8 May 2026

Tabletop Exercise mode added. A new tab between Plan Builder and Your Plan that walks the user's plan through a real ransomware case study from the DfE Cyber Security Hub, step-by-step, surfacing the relevant fields from their own plan at every step. The summary doubles as evidence of plan testing under RPA cyber cover requirements.

• Five example scenarios shipped at launch, all fully fictional, illustrative example scenarios covering different incident types so each tabletop tests different parts of the plan: (A) trust-wide ransomware across a mid-sized MAT, (B) single-trust ransomware with double extortion and data exfiltration, (C) business email compromise / invoice-redirection fraud, (D) account compromise via phishing — the standard precursor to ransomware, and (E) insider threat: a leaver with retained access who inappropriately accessed safeguarding records. Scenarios reference no specific school or trust — figures are illustrative ranges only, source links go to the DfE Cyber Security Hub root for sector context, and an explicit disclaimer sits on the selection screen.
• Plain-English plan-field labels. The runner and summary surface plan fields by their human-readable label ("Incident Lead — name", "Authority to take systems offline", "Recovery Time Objective (RTO)") rather than the technical dot-paths (plan.team.leadName etc.). A new PLAN_FIELD_LABELS dictionary maps each path to a friendly label, with a helper planFieldLabel() that falls back to the path for any field not yet registered.
• Seven steps per scenario. Each step has a real-time narrative ("Day 1, 06:30 — a network admin spots ransomware files..."), a question ("Who is the first responder per your plan? What's their immediate action?"), the scenario time stamp, and an auto-surfaced list of the user's plan fields that should answer it. Blank fields render as "⚠ gap in your plan" in red; populated fields show the captured value in green.
• Free-text answer per step — the user's team captures what they would actually do at this step. Saved to state.tabletop.scenarioAnswers via sessionStorage like the rest of the tool, and persisted across the JSON save/load via the existing schema-driven deepMergeSchema.
• Printable summary at the end with a gap report (every plan field the scenario surfaced that the user has left blank), all step-by-step responses, and a clear "this is your evidence of testing" footer for retention with incident response documentation.
• Re-run / view-summary controls on the selection screen for completed scenarios, with the completion date stamped on each card.
• Print footer extended — the per-page footer band now identifies the document as "Tabletop Exercise Summary" or "Prioritised Action Plan" when those tabs are printed (previously only Plan, First 30 Minutes and Governor Report were named).
• No CSP changes required. All data is local; the only external references are anchor links to the DfE Hub case study source URLs.

Why a minor version bump (v1.4.0): this is a substantial new feature, not a fix. Continues the post-launch feature-additions line begun in v1.2.0 and extended in v1.3.0.

Version 1.3.0 — 7 May 2026

DfE Cyber Security Hub integration. The Department for Education launched its Cyber Security Hub for schools — incident response playbooks, planning templates, case studies and the published 8-phase incident response process. This release positions the Cyber Incident Response Planner as the operational planning layer that complements the Hub.

• Playbook deep-links to the DfE Hub. Where the Hub publishes a relevant playbook, the corresponding playbook in this tool now signposts directly to it. Ransomware → the Hub's ransomware playbook and published case studies. Account compromise and Phishing → business email compromise playbook. Personal data breach → extortion via AI playbook for the data-leverage scenario.
• DfE Cyber Security Hub added as a fifth mapped framework across the home page status bar, the About page Frameworks section, the Sources & further reading list, and the Plan output's standards-mapping table. The home page Sources Verified date stamp will be bumped at the next quarterly review.
• Sector-context case-study references. The DfE Cyber Security Hub's published 2024 ransomware case studies — documenting recovery costs, staff hours, response durations and data exfiltration scale across UK education incidents — are referenced from the ransomware playbook's "Why this matters" callout for sector-relevant context. Specific schools and trusts are not named in this tool; readers can see the published material directly on the Hub.
• No CSP changes required. All new references are external <a href> links to cyber-security-hub.education.gov.uk; the Content Security Policy still locks remote scripts and fetch / XHR to the GoatCounter analytics endpoint only.

Why a minor version bump (v1.3.0): this is a content addition that materially changes how the tool positions itself against the new DfE resource — the tool now interoperates with the Hub's playbooks rather than duplicating them. Continues the post-launch feature-additions line begun in v1.2.0.

Version 1.2.0 — 30 April 2026

Prioritised Action Plan tab added. The missing functional layer between "we identified the gaps" (readiness check) and "we have a plan for incidents" (plan builder).

• Auto-generated from the readiness check. Every red and amber question becomes a row in a printable table, ordered by priority (red first, then amber).
• Each row shows: the area name, plain-English description, the recommended action for the user's current score, and the framework(s) it maps to.
• Three blank columns — Owner, Target date, Status — deliberately left empty for the user to fill in by hand on the printed copy. The tool doesn't ask the user to enter owners and dates here because that work belongs in their normal action tracker, not in another web form.
• Suggested timescales footer based on RPA/NCSC guidance: red items within one term, amber items within the academic year.
• Empty states for "readiness check not yet started" and "all green — nothing outstanding" handled cleanly so the printed page never looks broken.
• Surfaced from the home page as a "🎯 Prioritised action plan" CTA, and from the Governor Report's "For SLT" next-step ("Review the Prioritised Action Plan...").
• Inherits the v1.1.7–v1.1.11 print polish — Inter typography, footer band on every page, sensible page breaks, browser-header suppression.

Why a minor version bump (v1.2.0): this is a new feature, not a fix. v1.1.x is the consolidated launch line; v1.2.0 starts the post-launch feature-additions line.

Version 1.1.11 — 30 April 2026

• Header brand and tabs back on a single row. Since v1.1.0 the addition of the "First 30 Minutes" tab made the header crowded enough that brand + 8 tabs wrapped onto two rows on most desktops. Slimmed brand text from 14px→13px, tab buttons from 13px→12px and tab padding from 7px×12px→5px×9px so all 8 tabs fit alongside the brand on a single row at 1280px container width. Still wraps gracefully on genuinely narrow viewports (laptops below 1100px or phones).

Version 1.1.10 — 30 April 2026

Reverted two PDF experiments after real-world testing.

• Plan title page removed. The v1.1.9 cover sheet broke in real browsers — the fixed height:265mm overflowed the printable area, causing 7 blank pages to be inserted before the actual plan. Removed the entire title-page CSS and HTML; back to a clean printout starting on page 1 with the plan content. A proper title page is doable but needs the height-and-page-break logic to be more robust than my first attempt.
• Restored original centred plan header. The v1.1.8 "compact left-aligned print header" replaced the centred shield + title block to recover space — but on review the original centred header reads better and feels more like a document. Print version now matches the on-screen version, as it always should have.
• All other v1.1.9 work retained: Inter typography, footer band on every printed page, the Governor Report empty-state fix, and the Police CyberAlarm wording corrections all stay.

Lesson logged: print CSS that uses fixed millimetre heights breaks differently across browsers. Future title-page work should use natural content height with explicit page-break-after rather than forced height.

Version 1.1.9 — 30 April 2026

PDF output lifted from "plain printout" to "deliverable document".

• Title page added to the Plan output. A proper cover sheet now opens the PDF/print version: school name as the dominant title, eyebrow label, "CONFIDENTIAL — for internal use only" stamp, document description, metadata table (URN, version, plan date, approver, next review), framework-mapping footer. Forces the actual plan to start on page 2. Hidden on screen — only renders when printing.
• Footer band on every printed page. Bottom of every page now shows: school name, document name (e.g. "Cyber Incident Response Plan"), tool URL, and version. Populated dynamically from the active tab and current school data via a beforeprint handler. Browsers repeat the position:fixed footer on every printed page (Chrome, Edge, Firefox tested; Safari support partial). Hidden on the title page itself for a cleaner cover.
• Inter typography. Loaded from Google Fonts (weights 400/600/700/800) for crisper, more authoritative typography across both screen and print. System font stack remains as fallback if Google Fonts blocked. Uses Inter's stylistic alternates for a slightly nicer "1", "ß" etc.
• CSP relaxation. style-src now allows https://fonts.googleapis.com, font-src now allows https://fonts.gstatic.com. Both are Google Fonts endpoints — widely trusted, cookie-free for the CSS endpoint, no other CSP changes. The strict connect-src remains locked to GoatCounter only.
• Footer band leaves room. Bottom page margin increased from 20mm to 22mm so the footer band has breathing room without crowding content.

Version 1.1.8 — 30 April 2026

Print/PDF improvements based on real preview screenshots from Edge.

• Honest print-dialog tip on every print button. Some browsers (Edge, Chrome, Firefox) auto-add their own page header strip with the URL and document title at the top of every printed page, plus a date/page strip at the bottom. The CSS in v1.1.7 attempted to suppress these, but the user can still re-enable them in their print dialog — and many browsers default to having them on. Each print button now has a clear note telling the user to expand "More settings" and uncheck "Headers and footers" for the cleanest output. Honest framing: we can't override the user's browser settings, so we tell them how to.
• Compact print-mode header for the Plan output. Previously the centred shield logo + title + metadata block ate roughly a third of the first printed page. The print version is now left-aligned, smaller, and uses about a tenth of the page, leaving more room for actual plan content. Screen version unchanged.

Version 1.1.7 — 30 April 2026

Print / PDF output polished. When users print or save as PDF, the result now looks more like a professional document and less like a printed web page.

• Browser default headers/footers suppressed. The ugly auto-added page title, URL and date strip at the top and bottom of every printed page now hidden by default. Achieved via @page margin-box content overrides — users can still re-enable headers in their browser print dialog if they explicitly want them.
• Better page margins. A4 portrait with 18mm/14mm/20mm/14mm margins for the Governor Report and full Plan output, tighter 10mm for the single-page First 30 Minutes card.
• Cleaner section flow. Cards no longer print as boxed UI elements with shadows and borders — they flow as document sections. Headings get subtle horizontal rules instead, links lose the noisy auto-appended URL.
• Sensible page breaks. Headings can no longer be orphaned at the bottom of a page; list items and table rows can no longer split across pages; major sections in the full plan break onto new pages where it helps readability.
• Empty-state Governor Report. Previously, opening the Governor Report tab before completing the readiness check rendered a half-populated layout with empty placeholder panels — looked broken when printed. Now shows a clean "Readiness check not yet started" message with a clear next-step button (which is hidden on print).
• Edge case fix. If the readiness check is partially complete and all answered questions are currently green, the Governor Questions panel now shows a sensible message ("X of 12 answered, all currently green — complete the rest to surface specific assurance questions") rather than rendering an empty <ol>.

Note: some print details (default browser headers, page numbers in margins) depend on browser and user print-dialog settings. The CSS now signals our preferences strongly, but the user can override them via their print dialog if they wish.

Version 1.1.6 — 29 April 2026

• Fix broken DfE RPA link. The home page framework card and About page links pointed at /guidance/risk-protection-arrangement-rpa-for-schools — this is a 404. The current canonical GOV.UK URL is /guidance/the-risk-protection-arrangement-rpa-for-schools (with the "the-" prefix). All four references in the tool now point at the working URL.
• Dead-code cleanup. Removed unused CSS classes left over from earlier iterations: .home-callout (replaced by .frameworks-panel in v1.1.4), .qblock .tip (refactored away), .callout.note (variant never used), .pill-cyber and .pill-leadership (forked from the Self-Assessment Tool but never used here). Also removed the dead footer selector from the print rule and the obsolete "footer removed" placeholder comment.

Version 1.1.5 — 29 April 2026

• First 30 Minutes card width fix. Previously capped at 1000px and centred, now spans the full container width like the other home/plan blocks. More readable on desktop and removes the awkward floating effect.
• "Download as PDF" button added alongside the existing Print button on the First 30 Minutes tab. Both open the browser's print dialog — the user picks "Save as PDF" or a physical printer in the destination dropdown. The PDF defaults to a sensible filename like Your School — First 30 Minutes — 2026-04-29.pdf.
• No third-party PDF library. Considered jsPDF/html2pdf for a single-click PDF download but rejected: would require relaxing the CSP, ship 50–200 KB of code, and produce lower-fidelity output than the browser's native PDF rendering. Word export deferred for the same reasons until a real user specifically asks for it.

Version 1.1.4 — 29 April 2026

• "Mapped to UK Frameworks" panel on the home page replaces the previous yellow callout. Shows all four frameworks (NCSC, DfE Digital Standards 2030, RPA, Ofsted) as colour-coded cards in a 2×2 grid, each clickable to source guidance. Visually anchors the credibility story instead of burying it in prose.
• "Sources verified" date stamp in the panel header — honest, manually maintained, no false promise of API-driven live updates. Bumped quarterly.
• "A planning tool, not a compliance pass" message preserved as a small footer line under the framework grid — same caveat, less screen real estate.
• Police CyberAlarm banner alignment fix. Previous version was capped at 880px wide and floated centred above the columns; now it spans the same full container width as the hero, the feedback callout and everything else on the home page.

Version 1.1.3 — 29 April 2026

• Dark navy header restored with the slim, sticky tab layout introduced in v1.1.2. White-on-navy brand area, light tab pills, active tab fills white. Combines the visual identity of v1.1.1 with the cleaner spacing of v1.1.2.
• Header strapline broadened to "UK Education Establishments" — previously just "UK Schools & Colleges". The framework mappings (DfE Digital Standards 2030, DfE RPA, Ofsted) remain school-and-college-specific where they apply, but the brand-level positioning now signals that any UK education setting can use the readiness check, plan builder, playbooks and First 30 Minutes card.

Version 1.1.2 — 29 April 2026

• Bug fix — empty card on the Governor Report tab. When the First 30 Minutes section was added in v1.1.0, the Governor Report section's opening <section> tag was inadvertently dropped. The Governor Report card and its container were leaking onto whatever tab was active. Section structure restored. Same class of bug as the v1.5.2 fix — lesson learned.
• Cleaner UI. Replaced the dark navy header bar with a slim, light, sticky top nav. Active tab highlighted in accent blue rather than reverse-coloured. Removed the bottom footer entirely — version pill now lives subtly in the top-left, Changelog and About links are already in the home status bar. More vertical space for content, less visual noise.

Version 1.1.1 — 29 April 2026

Updates following community feedback from Sgt Andy Rawlinson (SEROCU Cyber PROTECT, CISM).

• Police CyberAlarm banner rewritten. Original wording overstated the impact of the transition. Corrected position: PCA registrations are open, vulnerability scanning is available to registered members, and only the on-network data collector is currently paused for new installations. Registration alone still satisfies the RPA cyber cover condition. Banner restyled from amber-warning to informational-blue to match the friendlier reality.
• Action Fraud renamed to Report Fraud throughout. The new service launched on 4 December 2025 (replacing Action Fraud) and went into full public launch in January 2026. The phone number stays the same (0300 123 2040), the URL is now reportfraud.police.uk. Updated everywhere in the tool: readiness questions, action items, plan output, communications templates, playbook citations and the First 30 Minutes card.

Version 1.1.0 — 29 April 2026

"First 30 Minutes" rapid-response card added. A one-page printable card designed to be laminated and pinned by the headteacher's office, in the network room and the bursar's drawer — for use during the actual incident, not for governance.

• Three time-boxed phases (0–5 min, 5–15 min, 15–30 min) with the next actions for each role — first responder, SLT digital lead, incident lead
• Auto-populated from the contacts already entered in the Plan Builder — SLT digital lead, deputy, IT lead, comms lead, DPO, IT support, RPA insurer, broadband supplier. Missing fields show as [not set]
• Critical phone numbers prominent — RPA Cyber Incident 0800 368 6378 and Report Fraud 0300 123 2040 are baked in
• "Do NOT" panel covering the five errors that turn a recoverable incident into a disaster — ransom payment ban (per DfE Academy Trust Handbook 2025), powering off (loses forensics), contact with attackers, comms via compromised email, premature wipe
• Escalation chain panel with the five-step external escalation route (internal → insurer → ICO → Report Fraud → ROCU)
• Optimised print layout — A4 portrait, single page, no awkward breaks. Designed to be readable from across a room when laminated
• New tab between Your Plan and Governor Report; new "🚨 First 30 Minutes card" CTA on the home page

Version 1.0.0 — 28 April 2026

Initial public release. A free, browser-based Cyber Incident Response Planner for UK schools and colleges, mapped to NCSC, DfE Digital Standards 2030, DfE Risk Protection Arrangement and the November 2025 Ofsted Inspection Toolkit.

Readiness & assessment

• 12-question readiness check with four-point RAG scoring and per-question framework tags (NCSC, DfE Digital Standards 2030, DfE RPA, Ofsted)
• Framework tags are clickable and open the source guidance on GOV.UK / NCSC / Ofsted
• Print-friendly readiness report

Plan Builder

• 10-section sequential plan builder — school details, response team, external contacts, severity grading, escalation authority, playbooks, communications, recovery and backups, post-incident review, plan maintenance
• Sticky table of contents and back-to-top button on the generated plan
• Save and reload progress via local JSON file

Six playbooks with real-world context

• Ransomware, personal data breach, account compromise, phishing campaign, denial of service, insider threat
• "Why this matters in UK schools" callout on each, citing authoritative UK sources: NCSC alerts on education-sector ransomware, the 2025 Cyber Security Breaches Survey, the ICO breach reporting service, the regional ROCU Cyber PROTECT Network and the National Crime Agency's Cyber Choices programme
• Fill-in-the-blanks templates with bracketed placeholders for school-specific details — designed to force school-specific thinking rather than producing generic boilerplate

Communications templates

• Sample drafts for parent letters, staff briefings, ICO notifications, governor briefings and the website holding statement
• "Use this draft as a starting point" button for one-click insertion

Governor / Trustee Report

• Plain-English one-page printable summary — readiness % score, RAG breakdown and an overall verdict that adapts to the school's score
• "How do you assure yourselves..." questions for each non-green readiness area, supporting Ofsted-style inspection assurance questioning
• Suggested wording for governor meeting minutes — minuting evidences cyber assurance during inspection
• For SLT / For Governors split in the Recommended Next Steps

Sector context for 2026

• Banner noting the Police CyberAlarm transition period — new installations of the data collector are currently paused. The RPA's cyber cover condition is registration with PCA (which has historically been possible without the collector), so the banner signposts schools to contact RPA.DFE@education.gov.uk directly to confirm the practical position
• RPA framework explainer on the About page references the same 2026 transition note alongside the source guidance link

Privacy & security

• Browser-only — your plan data never leaves your device, and is wiped when you close the tab
• No cookies, no fingerprinting, no advertising trackers. Anonymous page-view counts via GoatCounter (privacy-friendly, GDPR-compliant) so the author can see how the tool is being used — nothing more
• Content Security Policy locks down remote content to only the GoatCounter analytics endpoint — no other remote scripts, fetch / XHR or iframe embedding allowed
• JSON imports validated against schema (blocks prototype pollution, type confusion and DoS via oversized inputs)
• All user input HTML-escaped before rendering; external links use rel="noopener noreferrer"
• Threat model documented in SECURITY.md; automated functional and security test suites in the repo

About the Cyber Incident Response Planner

A free planning tool for UK schools and colleges — helping schools build, test and maintain a working Cyber Incident Response Plan, mapped to NCSC, DfE Digital Standards 2030, DfE Risk Protection Arrangement (RPA) and the Ofsted Inspection Toolkit.

👥 Who is this for?

Any UK state, independent or further education setting that needs to write or review a cyber incident response plan, including:

📚 Frameworks and standards mapped

Each readiness question and plan section is explicitly tagged to the framework(s) it maps against, so schools always know which expectation each part addresses.

🔐 Beyond this tool: Cyber Essentials

This tool covers the response side — what to do when a cyber incident happens. The complementary prevention baseline for UK organisations is Cyber Essentials, a certification scheme created by the NCSC and delivered by IASME. The DfE Cyber Security Hub describes it as designed "to prevent the most common internet-based cyber incidents."

Where to start

Read the NCSC Cyber Essentials overview for what's covered. The IASME assessment portal is where you self-assess and certify. The DfE Cyber Security Hub's CE page is the sector-specific signpost.

A school certified to CE Plus is well-positioned to avoid incidents, but still needs an incident response plan for when one happens. CE and this tool are complementary — not alternatives.

🤝 Built for the school IT community

Built and maintained by Christopher Maddocks, a former ANME (Association of Network Managers in Education) Ambassador, as a free contribution to the UK education community.

It's a companion to the DfE Digital Standards 2030 — Self-Assessment Tool, focusing specifically on the cyber response and recovery layer where the Self-Assessment Tool's Cyber Security standard leaves off.

If you have feedback, find a problem, or want to contribute improvements, the easiest route is the 2-minute feedback form. The source code lives on GitHub at github.com/cmaddocks-uk/cyber-response if you'd prefer to raise an issue or pull request directly.

📖 Sources & further reading

📜 Disclaimer

This tool is provided as-is, without warranty of any kind. It is not legal, regulatory or insurance advice. The author is not affiliated with the Department for Education, NCSC, Risk Protection Arrangement, Ofsted, ANME, or any government body or insurer. Use of this tool does not guarantee compliance with any framework or standard. Always validate your plan with your IT support, Data Protection Officer, senior leadership team and insurer before relying on it. Licensed under the MIT licence.