Cyber Incident Interoperability

"Interoperability is defined as the extent to which organisations can work together coherently as a matter of routine"
— JESIP

What is Cyber Incident Interoperability?

Cyber Incident Interoperability means the ability of organisations to work together coherently as a matter of routine whilst responding to a cyber security or hybrid incident.

It includes how Cyber Security Incident Response Teams (CSIRTs), Emergency Services, private sector responders, and others, are prepared to work together effectively to minimise the real world impacts of a cyber incident.

What is JESIP?

The Joint Emergency Services Interoperability Programme (JESIP) was established to bring about changes at the operational level that lead to the emergency services working together more effectively in response to major incidents.

Is there a 'Cyber JESIP'? Do we need one?

JESIP is traditionally used by 'blue light' services rather than cyber security incident responders, however the development of hybrid warfare practices, the integration of technology in societal wellbeing, and the reliance of people on digital services, mean the likelihood of a cyber or hybrid cyber incident having a real world impact has never been higher, and the potential impact of cyber and hybrid cyber incidents on life and wellbeing are increased. This creates a need for effective collaboration between cyber incident responders and emergency services, and therefore a need for interoperability.

Three possible approaches include:

1. Creation of a separate 'CyberJESIP' framework.
2. Identifying the highest value elements of emergency services protocols and embedding them into existing cyber standards.
3. Aligning cyber standards with emergency services protocols by creating common implementation playbooks.

Do existing cyber incident management frameworks cover this?

No. Existing cyber incident management frameworks (such as NIST or ISO) are generally designed with single organisation response in mind, with suppliers and customers involved in the incident response process as external stakeholders. Interoperability means having the ability to mount a single response to an incident that impacts multiple organisations. Existing Cyber IR protocols are not designed to do this.

Can existing protocols simply be applied to cyber?

Key challenges in applying existing JESIP protocols to cyber centre include language and communication, the global impacts of cyber, and different professional approaches, tools and training. For example:

• Co-location in JESIP is generally considered to be physical co-location, but in a cyber incident is likely to be virtual. This raises a different set of challenges and needs.
• JESIP is a UK protocol, with other countries having different approaches, but many severe cyber incidents are international.
• Cyber Incident Response standards such as NIST SP800-63 or ISO27035 are high level frameworks that are applied differently in each organisation, whereas Emergency Services tend to have common (and therefore more interoperable) implementation approaches.

Where can I read more?

I presented on this topic at FIRST 2025 in Copenhagen — supporting information is here.

How can I discuss this with you?

I'm happy to discuss this further. It is a common (though unsolved) issue, and there are many different views and approaches. Please do connect here, at work, or on LinkedIn. You're also welcome to subscribe to my occasional newsletter, Incidentally.