Public updates on the incident and ongoing recovery are shared using approved methods and messaging
Public communication about a security incident is high-stakes: every word is scrutinized by customers, media, regulators, and potentially courts. Messaging that is inaccurate, premature, or unauthorized can worsen the reputational and legal consequences of an incident significantly. Organizations need an approved public communication process that routes messaging through legal and executive review, uses consistent and controlled channels, and prevents unauthorized disclosures from employees or contractors who are not authorized to speak on the incident.
Implementation steps
- 1
Establish an approved communications process for public incident statements
Define who is authorized to make public statements about a security incident: typically limited to a designated spokesperson, with legal review required before any public statement is released. All press inquiries should be routed to this spokesperson. Employees and contractors should be notified during an incident that they are not authorized to speak about it publicly and should direct any media inquiries to the designated contact.
confluencenotion - 2
Pre-approve communication channels for public updates
Define the channels that will be used for public incident communication: the company website, email to affected customers, the public status page, and any applicable social media accounts. Avoid ad-hoc communication in forums or social media comments. Approved channels ensure that communications are archived, legally reviewed, and consistent. Pre-establish access credentials and procedures for these channels so that authorized communications can be sent quickly under pressure.
statuspagemailchimpsendgrid - 3
Coordinate messaging across legal, security, PR, and executive teams
Public incident communications must balance transparency with legal constraints, customer relations with regulatory obligations, and speed with accuracy. Create a fast-track approval workflow that brings legal, PR, and executive perspectives together before publication: a single reviewer who can clear communications in under an hour is better than a four-step approval chain that takes days. Prepare holding statements in advance that can be released immediately while more detailed communications are being reviewed.
confluencenotionslack
Evidence required
Public communications policy and spokesperson designation
Documentation of the process for public incident communications including approval requirements.
- · Incident communications policy defining spokesperson and approval requirements
- · Employee guidance on media inquiries during an incident
- · Pre-approved holding statement template for security incidents
Public communications records
Evidence that public communications were approved and sent through appropriate channels.
- · Customer notification email or letter from a past incident with approval records
- · Status page history for a service disruption event
- · Press statement archive from a significant security incident
Related controls
Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders
Incident Recovery Communication
The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed
Incident Recovery Plan Execution
The estimated impact and scope of adverse events are understood
Adverse Event Analysis
Information on adverse events is provided to authorized staff and tools
Adverse Event Analysis