Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders
During recovery, silence from the security team is a communications failure. Stakeholders who do not receive updates fill the gap with assumptions, which are often worse than the reality. Communicating recovery progress accurately and consistently maintains trust, enables business decisions (when can we resume operations?), satisfies regulatory or contractual update requirements, and reduces the operational disruption caused by uncertainty. Recovery communication requires the same discipline as incident communication.
Implementation steps
- 1
Define recovery status update cadence and recipients
At the start of recovery, define how frequently updates will be sent and to whom: hourly updates to the incident response team and department leads, daily executive briefings for multi-day incidents, and scheduled customer updates for service disruptions. Assign a designated communications lead who is responsible for drafting and sending these updates. Consistent cadence is as important as content: stakeholders who expect updates at a defined interval can plan around them.
slackpagerdutystatuspageconfluence - 2
Use a customer-facing status page for service disruptions
For incidents that affect the availability or security of customer-facing services, use a public status page to communicate status and recovery progress. Update the status page at the same cadence as internal updates. Customers who can see accurate progress updates are more patient than customers who see nothing and assume the worst. Commit only to recovery time estimates you can defend; incorrect ETAs erode trust faster than no ETA.
statuspageatlassian-statuspagebetterstack - 3
Send a recovery completion notification when services are restored
When recovery is complete and services are confirmed operating normally, send a formal recovery completion notification to all stakeholder groups: internal teams, executive leadership, customers (via status page or direct communication), and any regulators or partners who received incident notifications. The recovery notification closes the communication loop opened by the initial incident notification.
statuspageslackconfluence
Evidence required
Recovery communication plan and procedures
Documentation of how recovery progress is communicated during active incidents.
- · Incident response plan section defining recovery communication responsibilities
- · Status page configuration and usage guidelines
- · Recovery update template for internal and external stakeholders
Recovery communication records
Evidence that recovery communications were sent during past incidents.
- · Status page history showing recovery update timeline
- · Internal recovery briefing emails or Slack channel history
- · Customer notification records from a service disruption
Related controls
Public updates on the incident and ongoing recovery are shared using approved methods and messaging
Incident Recovery Communication
The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed
Incident Recovery Plan Execution
The estimated impact and scope of adverse events are understood
Adverse Event Analysis
Information on adverse events is provided to authorized staff and tools
Adverse Event Analysis