SC570: Incident Practitioner of the BSI™ Cyber Security Network

Training: Security - Governance, Risk & Compliance - Certification

Allianz für Cyber Sicherheit Partner Logo

The workshop provides practical training on how to quickly detect, analyze, and handle IT security incidents within the Cyber Security Network (CSN) of the BSI™. Participants learn how to initiate effective immediate measures on-site, limit the extent of damage, and prevent consequential harm. The goal is to competently implement incident handling processes and increase responsiveness in critical situations.

Presence training Presence training

Start: 2025-12-08 | 10:00 am

End: 2025-12-10 | 01:30 pm

Location: Nürnberg

Price: 1.190,00 € plus VAT.

Presence training Presence training

Start: 2026-02-09 | 10:00 am

End: 2026-02-11 | 01:30 pm

Location: Nürnberg

Price: 1.190,00 € plus VAT.

Presence training Presence training

Start: 2026-07-06 | 10:00 am

End: 2026-07-08 | 01:30 pm

Location: Nürnberg

Price: 1.190,00 € plus VAT.

Presence training Presence training

Start: 2026-12-07 | 10:00 am

End: 2026-12-09 | 01:30 pm

Location: Nürnberg

Price: 1.190,00 € plus VAT.

Request prefered appointment period:

* All fields marked with an asterisk are mandatory fields.

Agenda:

  • Introduction to CSN and summary of basic courses
    • Digital response chain
    • Roles and boundaries of the task
    • Legal and regulatory framework conditions
    • Summary of the basic course for digital first responders

  • Phone behavior incl. non-technical measures
    • Service-oriented phone call
    • Non-technical measures

  • Threats and attack forms and overview of the current threat landscape
    • Term definitions (threat, vulnerability, risk, attacker etc.)
    • Types of attacks or attack forms
    • Causes of attacks
    • Different attack methods
    • Phases of a cyber attack
    • Top current attack forms or current threat landscape
    • Detection of attacks or infections
    • Action recommendations for the incident practitioner
    • Limits of assistance by the incident practitioner

  • Standard procedure workflow
    • Preparation for potential incidents
    • Identification of the IT security incident
    • Containment of the damage extent
    • Determination of the causes or triggers of the IT security incident
    • Recovery of systems
    • Documentation of the IT security incident

  • Handling of IT security incidents e.g. phishing incidents, ransomware incidents
    • Introduction to phishing, phishing channels, possible consequences of phishing
    • Additional information on the most common consequences and statistics on economic damage incurred
    • Detection of Phishing Attacks, Response to Successful Phishing Attacks
    • Introduction to ransomware, current ransomware situation
    • Typical approach of ransomware attackers
    • Managing ransomware incidents
    • Legal issues

  • Remote support
    • Remote or on-site support
    • Communication with the customer
    • Connection and access options
    • Data collection and analysis options

  • Incident handling of IT systems "beyond usual office applications"
    • IT systems are also used beyond usual office applications
    • Examples of architectures. Which technology is used?
    • What are possible threats to control technology?
    • Limits of the task
    • Standard procedure workflow
    • Attack scenarios and immediate or countermeasures
    • Limits of analysis

  • After an incident is before an incident
    • Sensitization of the company for preventive security measures
    • Building security awareness
    • Analysis of business processes
    • Building a security and emergency concept
    • Design of exercises
    • Providing info package through CSN
    • Maintaining the competence of the incident practitioner

Objectives:

In this 2.5-day training, you will be prepared for the Incident Practitioner exam and will be assessed both in writing and orally on the last (half) training day.

The advanced training provides you with the official curriculum to acquire the knowledge and skills required for a role as an Incident Practitioner.

In a group setting, you will develop your skills in handling information security incidents and reinforce your knowledge of Cyber Security.

Following the workshop, all participants will receive the work results as a handout, the official training materials, and proof of participation in the training program.

As a registered training company in the Cybersecurity Network, qSkills™ offers participants the opportunity to combine the advanced training with the exam workshop at the same training location. After passing the exam, participants can register with the Cybersecurity Network as an Incident Practitioner.

Note: Unlike the Incident Expert exam (SC580), the Incident Practitioner exam takes place directly on the third training day at qSkills™ on-site. While participation in the first two training days can be either in-person or online, attendance on the last half day (exam workshop) is only possible in-person.

After registration, an Incident Practitioner will be listed and published on the CSN websites.

Target audience:

The course SC570 Incident Practitioner of the Cyber Security Network of the BSI™ is specifically designed for participants who already possess knowledge and practice in the field of Cyber Security and are now seeking registration as an Incident Practitioner in the CSN of the BSI™:

  • IT Specialists
  • IT Technicians/Theorists
  • ISMS Experts

Course participants are often decision-makers, consultants, and employees who already have expertise in the areas of IT Security and IT Technology.

Prerequisites:

Do you want to become an Incident Practitioner? Good decision!
There is a concrete risk of being affected by an IT incident for approximately 83 million citizens and about 3 million small and micro-enterprises.

A prerequisite for registration with the Cyber Security Network is the qualification as a Digital First Responder according to the ACS Standard for the Digital Rescue Chain and demonstrable knowledge in the IT field. The exact requirements are documented with the Cyber Security Network of the BSI™: Incident Practitioner in the CSN

Description:

The Federal Office for Information Security (BSI™) is responsible for IT security matters. To strengthen the reactive offerings in the field of Cyber Security or IT security, the Cyber Security Network (CSN) was established as a contact point for incident handling. This voluntary association of qualified IT security experts aims to detect and analyze IT security incidents more quickly, limit the extent of damage, and prevent further harm.

The workshop SC570 Incident Practitioner of the Cyber Security Network of the BSI™ enables you to provide rapid and effective on-site assistance in the event of IT security incidents and to initiate the corresponding processes for damage regulation.

Other Info:

Examination Conditions
The candidate must arrive at the designated training room 15 minutes before the scheduled examination time. Late arrivals may be denied entry and participation by the examiner. On the examination day, the candidate must present a photo ID. Accepted documents include, for example, an identity card, passport, or driver's license.

Permitted Aids During the Examination
Candidates are not allowed to use any aids, reference materials, blank sheets, or notebooks. Additionally, no communication, monitoring, or recording devices (e.g., mobile phones, tablets, smart glasses, smartwatches, or other mobile devices) may be used. All electronic devices must be turned off during the examination. Otherwise, an attempt to deceive may be assumed, and the candidate may be excluded from the examination.

Basis for the Examination
The aim of the examination is for the examinee to demonstrate their professional and personal competence, as well as the competence acquired through the basic course and additional training required for working as an Incident Practitioner, to an independent third party, i.e., an examiner or experienced incident expert. The foundations for the examination are:

  • The Guide for Responding to IT Security Incidents for Digital First Responders, and
  • The Guide for Responding to IT Security Incidents for Incident Practitioners and Incident Experts, specifically the chapters for the Incident Practitioner.

Form and Language of the Examination
The examination consists of two parts (written and oral), including a

  • 15-minute knowledge assessment (written multiple-choice examination) and a
  • 15-minute practical assessment (oral examination workshop).

The oral examination takes place together with all other examinees in a group. This allows other participants to gain additional learning success through the presentation and processing of case studies. The examination is offered in German.

Knowledge Assessment The written part of the examination comprises 20 multiple-choice questions, which must be answered within 15 minutes without any aids. The correct statements must be marked. Each multiple-choice question has four answer options.
It is possible that

  • all statements are correct,
  • one statement is correct,
  • several statements are correct,
  • none of the statements are correct.

One point is awarded for each correctly answered multiple-choice question. A question is considered correctly answered if all correct answers are marked. If one answer is incorrect, the entire question is considered incorrectly answered (zero points). There are no point deductions. In written examinations (on paper), it must be ensured that mistakenly marked answers are clearly recognizable and the correct answer is marked. In case of doubt, the question will be considered incorrect.

Practical Assessment
At the beginning of the oral examination, each participant receives an envelope with a case study, which they must present to the group after a preparation time of 15 minutes. The order of the oral examinations is noted on the case studies and is thus randomly determined.
The oral examination takes place together with all other examinees, allowing participants to gain additional learning success through the presentation and processing of the case studies of other participants.
During the oral examination, the examiner notes whether the examinee has covered all aspects of the solution pattern. The evaluation is based on the following assessment criteria for the practical example:

  • The problem statement of the case study is correctly reproduced.
  • The issue was correctly delineated and analyzed.
  • Action proposals are presented in a practical and understandable manner.
  • The approach corresponds to the telephone guide in the Guide for Responding to IT Security Incidents for Digital First Responders.
  • The examiner has the opportunity to ask additional questions.

A maximum of 20 points can be awarded for the oral examination.

Examination Evaluation
To pass the examination for Incident Practitioner, at least 60% of all points must be achieved. This means the examination is considered passed if 24 out of the 40 possible points are achieved in both parts.

Examination Retake
If a candidate does not achieve the required minimum score or if there are reasons why the examination result is not valid, a one-time retake of the examination can be undertaken. Individual parts of the examination generally cannot be retaken separately. A second retake of the examination is not possible.

Since October 2021, the CSN concept DIGITAL RESCUE CHAIN consists of:

  • Self-help assistance (website)
  • Contact point of the CSN hotline
  • Qualification as a Digital First Responder
  • Qualification as an Incident Practitioner according to BSI™/ACS standard
  • Qualification as an Incident Expert according to BSI™/ACS standard
  • IT service provider with a team of Incident Experts

qSkills™ has been an active partner of the Alliance for Cybersecurity (ACS) since its inception and supports the BSI™ in the Cyber Security Network CSN, among other things, with the training of security officers to become Incident Practitioners.

The BSI™ Incident Practitioners are, alongside the BSI™ Incident Experts, a significant part of the new Digital Rescue Chain for victims of cyberattacks. The CSN of the BSI™ aims to assist citizens and companies as quickly as possible in the event of a "K-case" (cyberattack).

check-icon

Guaranteed implementation:

from 2 Attendees

Booking information

Price:

1.190,00 € plus VAT.

(including lunch & drinks)

Exam (Optional):

390,00 € plus VAT.

Authorized training partner

NetApp Partner Authorized Learning
Commvault Training Partner
CQI | IRCA Approved Training Partner
Veeam Authorized Education Center
Acronis Authorized Training Center
AWS Partner Select Tier Training
ISACA Accredited Partner
iSAQB
CompTIA Authorized Partner
EC-Council Accredited Training Center

Memberships

Allianz für Cyber-Sicherheit
TeleTrust Pioneers in IT security
Bundesverband der IT-Sachverständigen und Gutachter e.V.
Bundesverband mittelständische Wirtschaft (BVMW)
Allianz für Sicherheit in der Wirtschaft
NIK - Netzwerk der Digitalwirtschaft
BVSW
Bayern Innovativ
KH-iT
CAST
IHK Nürnberg für Mittelfranken
eato e.V.
Sicherheitsnetzwerk München e.V.