CREST Certified Incident Manager (CCIM)

What is the CREST Certified Incident Manager course?

This 3-day CREST-aligned Incident Management Specialist course provides expert level knowledge and skills required for highly experienced cyber security professionals who have spent significant practitioner time working on incident response engagements.

This course is aligned to support individuals seeking to undertake the CCIM exam.

By the end of this training, you will have expanded and consolidated your technical understanding and practical experience of working on cyber security incidents to manage incidents and relevant stakeholders successfully in your organisation.

Who is this Qualification for?

This course is ideally for senior practitioner-level cyber security professionals who wish to understand how to manage cyber security incidents effectively. Some examples of your job role may be, Senior incident response practitioners, Senior digital forensics practitioners or IT/Cyber security practitioners with responsibilities in incident management.

Accreditation / Qualification(s) offered

Successful completion of this course will mean you will be awarded the CCIM certificate.

What This Course Includes

The price includes course registration and the CCIM Certificate.

Delivery Partner

This course will be delivered by our partners, Protection Group International, as part of our Cyber Alliance who will be the training provider of this course.

Delivery method:

  • Virtual LearningVirtual ClassroomInstructor-led course
  • Enquire about this course
  • This is a virtual course with a live instructor. It includes interaction and group-work to embed learning. We encourage use of cameras, and have regular breaks to maintain freshness and engagement.
  • Small Classes
  • CCIM Certificate
  • Does not Expire

PayPal Credit payment option available.0% interest for 4 months with PayPal Credit. Find out more
Course Logo

All prices are per person and exclude VAT.

This course can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Threat Landscape and Incident Readiness

  • Engagement Lifecycle Management
  • Incident Chronology
  • Incident Response Plan (and it’s relation to business continuity and disaster recovery)
  • Incident Response Team and Relevant Roles
  • Law & Compliance
  • Record Keeping, Interim Reporting & Final Results
  • Threat Assessment
  • Risk Analysis
  • Business Impact Assessments
  • Risk Assessments and Business Impact Assessments
  • Attack and compromise lifecycle
  • Attack / compromise lifecycles (kill chain)
  • Compromise, Disruption, Extraction of data, etc
  • Legal and Jurisdictional Issues
  • Ethics
  • Technical vulnerability root cause identification
  • Physical threats

Insider Attacks

  • Threat Identification

Collecting the Initial Facts

  • Building the Attack Timeline
  • Understanding Investigative Priorities

Initial Development of Leads

  • Define Value of Leads
  • Acting on Leads

Discover the Scope of the Incident

  • Examining Initial Data
  • Gathering and Reviewing Preliminary Evidence

Data Collection

  • Live data collection
  • When to perform a live response
  • Selecting a live response tool
  • What to collect
  • Collection best practices
  • Live data collection on Microsoft Windows Systems
  • Live data collection on Unix-based systems

Forensic Duplication

  • Forensic image formats
  • Traditional duplication
  • Live system duplication
  • Duplication of Enterprise assets
  • Duplication of Virtual machines

Network Evidence

  • Network monitoring
  • Types of network monitoring
  • Setting up network monitoring
  • Network data analysis
  • Incident Response Team Exercise
  • Applied Technical Knowledge for Incident Response
  • Host Analysis Techniques
  • Listing processes and their associated network sockets (if any)
  • Assessing patch levels on a Windows host using the command prompt
  • Finding interesting files on a Windows host

Understanding Common Data Formats

  • Interpret email headers, commenting on the reliability of the information contained within
  • Information contained within a PKI certificate
  • Encoding employed for transmission of data (e.g. web and email)

Registration Records

  • Open-Source Investigation and Web Enumeration
  • Effective use of search engines and other open-source intelligence sources to gain information about a target
  • Information that can be retrieved from common social networking sites

Extraction of Document Metadata

Community Knowledge

  • Ability to interpret common anti-virus threat reports
  • Ability to interpret open-source research when investigating incidents, eliminating false positives
  • Knowledge of popular open-source security resources (web sites, forums, etc.)
  • Static Network Traffic

Data Analysis

Malware Handling

  • Methods of data collection and types of data to be collected
  • Designing a collection system to ensure sufficient data is collected without overwhelming capture devices
  • Impact assessment of any changes to network
  • Knowledge of SPAN ports, traditional network TAPs and aggregating TAPs
  • Ability to estimate capture requirements during scoping.
  • Consideration of appropriate capture device deployment location.
  • Constraints and limitations of capture and analysis toolsets. Knowledge of different capture options (e.g. NetFlow, limited capture, full packet capture etc.)
  • The ability to assure integrity and security of network after introduction of a capture device
  • Provide arguments and evidence that supports the integrity of any data captured

Data Sources and Network Log Sources

  • Types of data to be collected and existing data sources
  • Proxy logs
  • Syslogs
  • Email logs
  • Firewall logs
  • DHCP logs
  • VPN logs
  • Web server logs
  • Antivirus logs
  • DNS logs
  • Domain logs
  • Windows event logs
  • Internet history
  • Database logs

Correlating information contained within any number of different log formats

Triage Environment

Status Analysis

Dynamic Analysis

  • Dynamic Network Traffic Analysis

Incident Response Manager Actions During an Incident

  • Incident Response team lead and distribute efforts
  • Convey technical findings in incident response cases with upper management and stakeholders
  • Report Writing
  • Client management
  • Containment techniques
  • Evidence handling
  • Communications
  • Recovery and remediation (linked to an organisation’s long- and short-term strategic goals)
  • On-going technical prevention
  • Threat intelligence, Contextualisation Attribution and Motivation
  • Industry Best Practice

Exam Preparation

Ideally, you should have five or more years of practical experience in digital forensics and/or incident response role and CREST Registered Intrusion Analyst (CRIA) qualification or training. At a minimum, at least 12 months’ hands on experienced once CRIA has been achieved.

Ideally you will have knowledge of:

  • Best practices for incident response and incident management.
  • National cyber security regulations and requirements relevant to an organisation.
  • Different types of cyber attackers, their capabilities, and objectives.
  • What constitutes a threat to network security.
  • Best practice measures or indicators of system performance and availability.
  • Best practice resource management principles and techniques.
  • Best practice server administration and systems engineering theories, concepts, and methods.
  • Best practice auditing and logging procedures.
  • Using network servers and networking tools used by an organisation or systems being tested.
  • Penetration testing principles, techniques, and best practice application

And skill in:

  • Developing policies which reflect an organisation’s business and cyber security strategic objectives
  • To identify, capture, contain and report malware.
  • Identify malware analysis tools.
  • Perform root cause analysis for information security issues.
  • Understand types of persistent data and how to collect them.
  • Effectively use protocol analyzers.
  • Critically evaluate and establish processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
  • Assess system files that contain relevant information and where to find them.
  • Understand electronic evidence law.
  • Consider malware reverse engineering concepts.
  • Recognise how and why adversaries abuse file type.
  • Develop, test, and implement network infrastructure contingency and recovery plans.
  • Effectively prepare and present briefings in a clear and concise manner.
  • Prepare clear and concise reports, presentations, and briefings.

Enquire about this course

Please fill in the form below and a member of the team will be in contact with you as soon as possible. Replies are typically within 24 hours of your submission. Please allow additional time for bank holidays and weekends.

* Indicates required information

MKC Training would like to stay in contact you with relevant content, updates and occasional marketing.

If you change your mind, you can unsubscribe at any time by clicking the link in the footer of our emails, or by emailing us at For more information about our privacy practices, please view our privacy policy (opens in a new window). By clicking the button below, you agree that we may process your information in accordance with these terms.

  • "Sue was an excellent trainer and a nice person to be trained by too. Clearly has a thorough and comprehensive knowledge of not only the course but the whole discipline."
    Joe, APM PMQ course
  • "The use of whiteboards, real time example, breakout room and attempting the questions after every topic was really helpful. The enthusiastic tutor, made the course better."
    Anon, PRINCE2 Agile course
  • "The ideas and techniques learned in the course has changed my vision towards project management. It taught me various methods which I can apply in my career. I managed to learn new aspects of management cycle which I was unaware of. The course was very useful to me."
    Pawan, PRINCE2 Agile course
  • "I thoroughly enjoyed the course and got a good deal of useful information from it. I have carried out projects throughout my career, and a few years ago took the APM Project Management Qualification (PMQ), but carried out projects using my own methods. PRINCE2 is great in that it sets out a methodology for carrying out project management, and is the most widely recognised in the UK. Adding agile was the icing on the cake."
    Lara, PRINCE2 Agile
  • "Dhaliwal Narinder our trainer was excellent, adding insights from her vast experience to enhance our learning. We have tried Agile and Project Management separately, now i have the opportunity to try both again in my Faculty. Receiving this course online whilst locked down was perfect."
    Kevin, PRINCE2 Agile course
  • "The course was interesting and interactive, though a lot of information needed to be crammed in and consumed. Having done an Agile course a few years ago, this course helped to reinforce what was previously learned and put a project management theme to it. The instructor was very knowledgeable and explained the theory very well. The other participants were engaging and helped make the course interesting through the sharing of question and answer sessions to the relationship of past experiences."
    Ted, PRINCE2 Agile course
  • Experienced and well qualified training staff provide excellent support and are committed to improving trainees' experience.
  • "The pass rate is delivering more competent well-rounded, 'turn their hand to anything' engineers. All of the main courses delivered by MKC achieve notably higher success rates than the corresponding courses delivered by either Further Education (FE) or private training providers'."
  • MKC is seen to be strongly in line with acknowledged approaches to good practice in vocational education and training.
    Dr A Lahiff University College London Institute of Education (IoE)
  • The Open & Honest partnering approach will save MoD an average of 25% on previous training costs.
    Babcock International
  • MKC significantly exceeds performance and has delivered a further £28M savings since the start of operations. Training losses have moved from 12% to 5%, trimming times down by 20%. Innovating and driving down costs.
  • "It was clear that our tutors were not only really skilled themselves, but they knew how to pass that on to others."
  • "Learners have a deeper understanding of their trades"
Previous slide
Next slide

Book a course