Cyber Incident Response Planner — Wales / Cymru

Version 1.5.0 — 8 May 2026

Cyber Essentials integration. The DfE Cyber Security Hub describes Cyber Essentials as a scheme designed "to prevent the most common internet-based cyber incidents." This release adds explainer content and a status field so schools can record their CE position alongside the response plan — CE is the prevention side; this tool covers the response side.

• "Beyond this tool: Cyber Essentials" card on the About page covering: what CE is, the five technical controls (firewalls, secure configuration, user access control, malware protection, security update management), CE vs CE Plus, the IASME assessment route, why it matters for UK schools (RPA, DfE Standards 2030, procurement), and where to start. Mirrors the DfE Hub's phrasing ("certification scheme created by the NCSC") for sector consistency.
• Cyber Essentials status field added to the Plan Builder → School details (dropdown: Not started / Working towards / Cyber Essentials / Cyber Essentials Plus). Surfaces in the printable plan output's header next to the other plan metadata.
• Cyber Essentials Plus 3-month deadline tracking. A new "CE certification date" field sits next to the status dropdown. When status is "Cyber Essentials" and a date is set, the plan output auto-calculates and surfaces the CE Plus deadline (cert date + 3 months) with a colour-coded urgency flag — green if comfortably ahead, amber under 4 weeks. Mirrors IASME's rule that CE Plus must be achieved within 3 months of CE certification on the same scope, otherwise the school must recertify CE first. The "Two tiers" panel on the About page now calls out this 3-month rule prominently.
• Annual renewal reminder. CE and CE Plus both expire 12 months after certification. The same date logic now also flags "annual renewal due [date] (X days remaining)" when the cert is approaching expiry — amber under 60 days, red under 28 days, and a stronger "renewal expired N days ago — recertify now" message once it's past the 12-month mark. Quiet otherwise, so it doesn't add noise outside the renewal window.
• Governor Report CE meta. The Governor / Trustee Report header now surfaces CE status (and any active deadline) alongside the readiness percentage — useful when governors are asking "are we Cyber Essentials yet?" at meetings, and as visible cyber-assurance evidence during inspection.
• State-aware Cyber Essentials governor question. The "Questions Governors Should Ask at the Next Meeting" panel now prepends a CE-specific assurance question whenever attention is warranted — tailored to the school's current state. Five branches: not-yet-certified ("clear plan and named owner?"), status-set-but-no-date ("how is the renewal cycle being tracked?"), lapsed certification ("why has it lapsed?"), renewal approaching within 60 days ("how is on-time renewal being assured?"), and the 3-month CE Plus window ("how is CE Plus being progressed?"). Stays silent when CE is comfortably in good standing — no noise.
• CE in suggested meeting minutes wording. The "For the meeting minutes" suggested wording now optionally mentions Cyber Essentials status (and cert date if recorded) when relevant — making CE governance evidence concrete in inspection-ready minute language.
• Homepage CE signposting. A new 🔐 Cyber Essentials ↗ link in the home page status bar (alongside DfE Standards / NCSC / DfE Cyber Hub), and a one-line mention in the frameworks-panel footer pointing readers to CE for "the prevention side" alongside the four mapped frameworks.
• Readiness check Q11 (MFA) tagged with CE — the only direct map between the existing readiness questions and the five CE controls (User access control). Honest minimal tagging: trying to force more CE tags onto incident-response questions would be misleading, since CE is preventative posture and the readiness check is response posture.
• New pill-ce framework badge style (cyan/teal). Used in readiness question framework tags. Click-through goes to the NCSC Cyber Essentials overview.
• No CSP changes required. All CE references are external <a href> links to NCSC, IASME and the DfE Cyber Security Hub.

Why a minor version bump (v1.5.0): this adds a new framework category alongside existing NCSC / DfE / RPA / Ofsted mappings. Honest scope: signposting + meta-field, not a full CE assessment tool — schools should use IASME's official questionnaire for the actual certification.

Version 1.4.0 — 8 May 2026

Tabletop Exercise mode added. A new tab between Plan Builder and Your Plan that walks the user's plan through a real ransomware case study from the DfE Cyber Security Hub, step-by-step, surfacing the relevant fields from their own plan at every step. The summary doubles as evidence of plan testing under RPA cyber cover requirements.

• Five example scenarios shipped at launch, all fully fictional, illustrative example scenarios covering different incident types so each tabletop tests different parts of the plan: (A) trust-wide ransomware across a mid-sized MAT, (B) single-trust ransomware with double extortion and data exfiltration, (C) business email compromise / invoice-redirection fraud, (D) account compromise via phishing — the standard precursor to ransomware, and (E) insider threat: a leaver with retained access who inappropriately accessed safeguarding records. Scenarios reference no specific school or trust — figures are illustrative ranges only, source links go to the DfE Cyber Security Hub root for sector context, and an explicit disclaimer sits on the selection screen.
• Plain-English plan-field labels. The runner and summary surface plan fields by their human-readable label ("Incident Lead — name", "Authority to take systems offline", "Recovery Time Objective (RTO)") rather than the technical dot-paths (plan.team.leadName etc.). A new PLAN_FIELD_LABELS dictionary maps each path to a friendly label, with a helper planFieldLabel() that falls back to the path for any field not yet registered.
• Seven steps per scenario. Each step has a real-time narrative ("Day 1, 06:30 — a network admin spots ransomware files..."), a question ("Who is the first responder per your plan? What's their immediate action?"), the scenario time stamp, and an auto-surfaced list of the user's plan fields that should answer it. Blank fields render as "⚠ gap in your plan" in red; populated fields show the captured value in green.
• Free-text answer per step — the user's team captures what they would actually do at this step. Saved to state.tabletop.scenarioAnswers via sessionStorage like the rest of the tool, and persisted across the JSON save/load via the existing schema-driven deepMergeSchema.
• Printable summary at the end with a gap report (every plan field the scenario surfaced that the user has left blank), all step-by-step responses, and a clear "this is your evidence of testing" footer for retention with incident response documentation.
• Re-run / view-summary controls on the selection screen for completed scenarios, with the completion date stamped on each card.
• Print footer extended — the per-page footer band now identifies the document as "Tabletop Exercise Summary" or "Prioritised Action Plan" when those tabs are printed (previously only Plan, First 30 Minutes and Governor Report were named).
• No CSP changes required. All data is local; the only external references are anchor links to the DfE Hub case study source URLs.

Why a minor version bump (v1.4.0): this is a substantial new feature, not a fix. Continues the post-launch feature-additions line begun in v1.2.0 and extended in v1.3.0.

Version 1.3.0 — 7 May 2026

DfE Cyber Security Hub integration. The Department for Education launched its Cyber Security Hub for schools — incident response playbooks, planning templates, case studies and the published 8-phase incident response process. This release positions the Cyber Incident Response Planner as the operational planning layer that complements the Hub.

• Playbook deep-links to the DfE Hub. Where the Hub publishes a relevant playbook, the corresponding playbook in this tool now signposts directly to it. Ransomware → the Hub's ransomware playbook and published case studies. Account compromise and Phishing → business email compromise playbook. Personal data breach → extortion via AI playbook for the data-leverage scenario.
• DfE Cyber Security Hub added as a fifth mapped framework across the home page status bar, the About page Frameworks section, the Sources & further reading list, and the Plan output's standards-mapping table. The home page Sources Verified date stamp will be bumped at the next quarterly review.
• Sector-context case-study references. The DfE Cyber Security Hub's published 2024 ransomware case studies — documenting recovery costs, staff hours, response durations and data exfiltration scale across UK education incidents — are referenced from the ransomware playbook's "Why this matters" callout for sector-relevant context. Specific schools and trusts are not named in this tool; readers can see the published material directly on the Hub.
• No CSP changes required. All new references are external <a href> links to cyber-security-hub.education.gov.uk; the Content Security Policy still locks remote scripts and fetch / XHR to the GoatCounter analytics endpoint only.

Why a minor version bump (v1.3.0): this is a content addition that materially changes how the tool positions itself against the new DfE resource — the tool now interoperates with the Hub's playbooks rather than duplicating them. Continues the post-launch feature-additions line begun in v1.2.0.

Version 1.2.0 — 30 April 2026

Prioritised Action Plan tab added. The missing functional layer between "we identified the gaps" (readiness check) and "we have a plan for incidents" (plan builder).

• Auto-generated from the readiness check. Every red and amber question becomes a row in a printable table, ordered by priority (red first, then amber).
• Each row shows: the area name, plain-English description, the recommended action for the user's current score, and the framework(s) it maps to.
• Three blank columns — Owner, Target date, Status — deliberately left empty for the user to fill in by hand on the printed copy. The tool doesn't ask the user to enter owners and dates here because that work belongs in their normal action tracker, not in another web form.
• Suggested timescales footer based on RPA/NCSC guidance: red items within one term, amber items within the academic year.
• Empty states for "readiness check not yet started" and "all green — nothing outstanding" handled cleanly so the printed page never looks broken.
• Surfaced from the home page as a "🎯 Prioritised action plan" CTA, and from the Governor Report's "For SLT" next-step ("Review the Prioritised Action Plan...").
• Inherits the v1.1.7–v1.1.11 print polish — Inter typography, footer band on every page, sensible page breaks, browser-header suppression.

Why a minor version bump (v1.2.0): this is a new feature, not a fix. v1.1.x is the consolidated launch line; v1.2.0 starts the post-launch feature-additions line.

Version 1.1.11 — 30 April 2026

• Header brand and tabs back on a single row. Since v1.1.0 the addition of the "First 30 Minutes" tab made the header crowded enough that brand + 8 tabs wrapped onto two rows on most desktops. Slimmed brand text from 14px→13px, tab buttons from 13px→12px and tab padding from 7px×12px→5px×9px so all 8 tabs fit alongside the brand on a single row at 1280px container width. Still wraps gracefully on genuinely narrow viewports (laptops below 1100px or phones).

Version 1.1.10 — 30 April 2026

Reverted two PDF experiments after real-world testing.

• Plan title page removed. The v1.1.9 cover sheet broke in real browsers — the fixed height:265mm overflowed the printable area, causing 7 blank pages to be inserted before the actual plan. Removed the entire title-page CSS and HTML; back to a clean printout starting on page 1 with the plan content. A proper title page is doable but needs the height-and-page-break logic to be more robust than my first attempt.
• Restored original centred plan header. The v1.1.8 "compact left-aligned print header" replaced the centred shield + title block to recover space — but on review the original centred header reads better and feels more like a document. Print version now matches the on-screen version, as it always should have.
• All other v1.1.9 work retained: Inter typography, footer band on every printed page, the Governor Report empty-state fix, and the Police CyberAlarm wording corrections all stay.

Lesson logged: print CSS that uses fixed millimetre heights breaks differently across browsers. Future title-page work should use natural content height with explicit page-break-after rather than forced height.

Version 1.1.9 — 30 April 2026

PDF output lifted from "plain printout" to "deliverable document".

• Title page added to the Plan output. A proper cover sheet now opens the PDF/print version: school name as the dominant title, eyebrow label, "CONFIDENTIAL — for internal use only" stamp, document description, metadata table (URN, version, plan date, approver, next review), framework-mapping footer. Forces the actual plan to start on page 2. Hidden on screen — only renders when printing.
• Footer band on every printed page. Bottom of every page now shows: school name, document name (e.g. "Cyber Incident Response Plan"), tool URL, and version. Populated dynamically from the active tab and current school data via a beforeprint handler. Browsers repeat the position:fixed footer on every printed page (Chrome, Edge, Firefox tested; Safari support partial). Hidden on the title page itself for a cleaner cover.
• Inter typography. Loaded from Google Fonts (weights 400/600/700/800) for crisper, more authoritative typography across both screen and print. System font stack remains as fallback if Google Fonts blocked. Uses Inter's stylistic alternates for a slightly nicer "1", "ß" etc.
• CSP relaxation. style-src now allows https://fonts.googleapis.com, font-src now allows https://fonts.gstatic.com. Both are Google Fonts endpoints — widely trusted, cookie-free for the CSS endpoint, no other CSP changes. The strict connect-src remains locked to GoatCounter only.
• Footer band leaves room. Bottom page margin increased from 20mm to 22mm so the footer band has breathing room without crowding content.

Version 1.1.8 — 30 April 2026

Print/PDF improvements based on real preview screenshots from Edge.

• Honest print-dialog tip on every print button. Some browsers (Edge, Chrome, Firefox) auto-add their own page header strip with the URL and document title at the top of every printed page, plus a date/page strip at the bottom. The CSS in v1.1.7 attempted to suppress these, but the user can still re-enable them in their print dialog — and many browsers default to having them on. Each print button now has a clear note telling the user to expand "More settings" and uncheck "Headers and footers" for the cleanest output. Honest framing: we can't override the user's browser settings, so we tell them how to.
• Compact print-mode header for the Plan output. Previously the centred shield logo + title + metadata block ate roughly a third of the first printed page. The print version is now left-aligned, smaller, and uses about a tenth of the page, leaving more room for actual plan content. Screen version unchanged.

Version 1.1.7 — 30 April 2026

Print / PDF output polished. When users print or save as PDF, the result now looks more like a professional document and less like a printed web page.

• Browser default headers/footers suppressed. The ugly auto-added page title, URL and date strip at the top and bottom of every printed page now hidden by default. Achieved via @page margin-box content overrides — users can still re-enable headers in their browser print dialog if they explicitly want them.
• Better page margins. A4 portrait with 18mm/14mm/20mm/14mm margins for the Governor Report and full Plan output, tighter 10mm for the single-page First 30 Minutes card.
• Cleaner section flow. Cards no longer print as boxed UI elements with shadows and borders — they flow as document sections. Headings get subtle horizontal rules instead, links lose the noisy auto-appended URL.
• Sensible page breaks. Headings can no longer be orphaned at the bottom of a page; list items and table rows can no longer split across pages; major sections in the full plan break onto new pages where it helps readability.
• Empty-state Governor Report. Previously, opening the Governor Report tab before completing the readiness check rendered a half-populated layout with empty placeholder panels — looked broken when printed. Now shows a clean "Readiness check not yet started" message with a clear next-step button (which is hidden on print).
• Edge case fix. If the readiness check is partially complete and all answered questions are currently green, the Governor Questions panel now shows a sensible message ("X of 12 answered, all currently green — complete the rest to surface specific assurance questions") rather than rendering an empty <ol>.

Note: some print details (default browser headers, page numbers in margins) depend on browser and user print-dialog settings. The CSS now signals our preferences strongly, but the user can override them via their print dialog if they wish.

Version 1.1.6 — 29 April 2026

• Fix broken DfE RPA link. The home page framework card and About page links pointed at /guidance/risk-protection-arrangement-rpa-for-schools — this is a 404. The current canonical GOV.UK URL is /guidance/the-risk-protection-arrangement-rpa-for-schools (with the "the-" prefix). All four references in the tool now point at the working URL.
• Dead-code cleanup. Removed unused CSS classes left over from earlier iterations: .home-callout (replaced by .frameworks-panel in v1.1.4), .qblock .tip (refactored away), .callout.note (variant never used), .pill-cyber and .pill-leadership (forked from the Self-Assessment Tool but never used here). Also removed the dead footer selector from the print rule and the obsolete "footer removed" placeholder comment.

Version 1.1.5 — 29 April 2026

• First 30 Minutes card width fix. Previously capped at 1000px and centred, now spans the full container width like the other home/plan blocks. More readable on desktop and removes the awkward floating effect.
• "Download as PDF" button added alongside the existing Print button on the First 30 Minutes tab. Both open the browser's print dialog — the user picks "Save as PDF" or a physical printer in the destination dropdown. The PDF defaults to a sensible filename like Your School — First 30 Minutes — 2026-04-29.pdf.
• No third-party PDF library. Considered jsPDF/html2pdf for a single-click PDF download but rejected: would require relaxing the CSP, ship 50–200 KB of code, and produce lower-fidelity output than the browser's native PDF rendering. Word export deferred for the same reasons until a real user specifically asks for it.

Version 1.1.4 — 29 April 2026

• "Mapped to UK Frameworks" panel on the home page replaces the previous yellow callout. Shows all four frameworks (NCSC, DfE Digital Standards 2030, RPA, Ofsted) as colour-coded cards in a 2×2 grid, each clickable to source guidance. Visually anchors the credibility story instead of burying it in prose.
• "Sources verified" date stamp in the panel header — honest, manually maintained, no false promise of API-driven live updates. Bumped quarterly.
• "A planning tool, not a compliance pass" message preserved as a small footer line under the framework grid — same caveat, less screen real estate.
• Police CyberAlarm banner alignment fix. Previous version was capped at 880px wide and floated centred above the columns; now it spans the same full container width as the hero, the feedback callout and everything else on the home page.

Version 1.1.3 — 29 April 2026

• Dark navy header restored with the slim, sticky tab layout introduced in v1.1.2. White-on-navy brand area, light tab pills, active tab fills white. Combines the visual identity of v1.1.1 with the cleaner spacing of v1.1.2.
• Header strapline broadened to "UK Education Establishments" — previously just "UK Schools & Colleges". The framework mappings (DfE Digital Standards 2030, DfE RPA, Ofsted) remain school-and-college-specific where they apply, but the brand-level positioning now signals that any UK education setting can use the readiness check, plan builder, playbooks and First 30 Minutes card.

Version 1.1.2 — 29 April 2026

• Bug fix — empty card on the Governor Report tab. When the First 30 Minutes section was added in v1.1.0, the Governor Report section's opening <section> tag was inadvertently dropped. The Governor Report card and its container were leaking onto whatever tab was active. Section structure restored. Same class of bug as the v1.5.2 fix — lesson learned.
• Cleaner UI. Replaced the dark navy header bar with a slim, light, sticky top nav. Active tab highlighted in accent blue rather than reverse-coloured. Removed the bottom footer entirely — version pill now lives subtly in the top-left, Changelog and About links are already in the home status bar. More vertical space for content, less visual noise.

Version 1.1.1 — 29 April 2026

Updates following community feedback from Sgt Andy Rawlinson (SEROCU Cyber PROTECT, CISM).

• Police CyberAlarm banner rewritten. Original wording overstated the impact of the transition. Corrected position: PCA registrations are open, vulnerability scanning is available to registered members, and only the on-network data collector is currently paused for new installations. Registration alone still satisfies the RPA cyber cover condition. Banner restyled from amber-warning to informational-blue to match the friendlier reality.
• Action Fraud renamed to Report Fraud throughout. The new service launched on 4 December 2025 (replacing Action Fraud) and went into full public launch in January 2026. The phone number stays the same (0300 123 2040), the URL is now reportfraud.police.uk. Updated everywhere in the tool: readiness questions, action items, plan output, communications templates, playbook citations and the First 30 Minutes card.

Version 1.1.0 — 29 April 2026

"First 30 Minutes" rapid-response card added. A one-page printable card designed to be laminated and pinned by the headteacher's office, in the network room and the bursar's drawer — for use during the actual incident, not for governance.

• Three time-boxed phases (0–5 min, 5–15 min, 15–30 min) with the next actions for each role — first responder, SLT digital lead, incident lead
• Auto-populated from the contacts already entered in the Plan Builder — SLT digital lead, deputy, IT lead, comms lead, DPO, IT support, RPA insurer, broadband supplier. Missing fields show as [not set]
• Critical phone numbers prominent — RPA Cyber Incident 0800 368 6378 and Report Fraud 0300 123 2040 are baked in
• "Do NOT" panel covering the five errors that turn a recoverable incident into a disaster — ransom payment ban (per DfE Academy Trust Handbook 2025), powering off (loses forensics), contact with attackers, comms via compromised email, premature wipe
• Escalation chain panel with the five-step external escalation route (internal → insurer → ICO → Report Fraud → ROCU)
• Optimised print layout — A4 portrait, single page, no awkward breaks. Designed to be readable from across a room when laminated
• New tab between Your Plan and Governor Report; new "🚨 First 30 Minutes card" CTA on the home page

Version 1.0.0 — 28 April 2026

Initial public release. A free, browser-based Cyber Incident Response Planner for UK schools and colleges, mapped to NCSC, DfE Digital Standards 2030, DfE Risk Protection Arrangement and the November 2025 Ofsted Inspection Toolkit.

Readiness & assessment

• 12-question readiness check with four-point RAG scoring and per-question framework tags (NCSC, DfE Digital Standards 2030, DfE RPA, Ofsted)
• Framework tags are clickable and open the source guidance on GOV.UK / NCSC / Ofsted
• Print-friendly readiness report

Plan Builder

• 10-section sequential plan builder — school details, response team, external contacts, severity grading, escalation authority, playbooks, communications, recovery and backups, post-incident review, plan maintenance
• Sticky table of contents and back-to-top button on the generated plan
• Save and reload progress via local JSON file

Six playbooks with real-world context

• Ransomware, personal data breach, account compromise, phishing campaign, denial of service, insider threat
• "Why this matters in UK schools" callout on each, citing authoritative UK sources: NCSC alerts on education-sector ransomware, the 2025 Cyber Security Breaches Survey, the ICO breach reporting service, the regional ROCU Cyber PROTECT Network and the National Crime Agency's Cyber Choices programme
• Fill-in-the-blanks templates with bracketed placeholders for school-specific details — designed to force school-specific thinking rather than producing generic boilerplate

Communications templates

• Sample drafts for parent letters, staff briefings, ICO notifications, governor briefings and the website holding statement
• "Use this draft as a starting point" button for one-click insertion

Governor / Trustee Report

• Plain-English one-page printable summary — readiness % score, RAG breakdown and an overall verdict that adapts to the school's score
• "How do you assure yourselves..." questions for each non-green readiness area, supporting Ofsted-style inspection assurance questioning
• Suggested wording for governor meeting minutes — minuting evidences cyber assurance during inspection
• For SLT / For Governors split in the Recommended Next Steps

Sector context for 2026

• Banner noting the Police CyberAlarm transition period — new installations of the data collector are currently paused. The RPA's cyber cover condition is registration with PCA (which has historically been possible without the collector), so the banner signposts schools to contact RPA.DFE@education.gov.uk directly to confirm the practical position
• RPA framework explainer on the About page references the same 2026 transition note alongside the source guidance link

Privacy & security

• Browser-only — your plan data never leaves your device, and is wiped when you close the tab
• No cookies, no fingerprinting, no advertising trackers. Anonymous page-view counts via GoatCounter (privacy-friendly, GDPR-compliant) so the author can see how the tool is being used — nothing more
• Content Security Policy locks down remote content to only the GoatCounter analytics endpoint — no other remote scripts, fetch / XHR or iframe embedding allowed
• JSON imports validated against schema (blocks prototype pollution, type confusion and DoS via oversized inputs)
• All user input HTML-escaped before rendering; external links use rel="noopener noreferrer"
• Threat model documented in SECURITY.md; automated functional and security test suites in the repo