Internal and external stakeholders are notified of incidents in a timely manner
Incident communication is an obligation, not an option. Internally, stakeholders need to know what is happening so they can make decisions, redirect resources, and prepare for operational disruption. Externally, customers, regulators, and partners may have legal rights to timely notification. Organizations that fail to notify in time, or notify inconsistently, compound a technical incident into a legal and reputational one.
Implementation steps
- 1
Define internal notification requirements by incident severity
Document who must be notified internally for each incident severity level: a low-severity event may only require the security team, a high-severity event may require the CISO and department heads, and a critical event may require executive notification including the CEO and board. Define the time frame for each notification. Internal notifications should happen early enough that leadership is not surprised by news from external sources.
pagerdutyslackconfluence - 2
Map data types and incident categories to external notification requirements
Build a reference mapping data types to their regulatory notification requirements and time frames: GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach; HIPAA requires notification to the HHS and affected individuals; PCI DSS requires notification to your acquiring bank and card brands. Know which requirements apply to your organization before an incident occurs so that legal review time is available in an incident, not instead of it.
confluencenotion - 3
Pre-draft communication templates for common incident types
Writing external communications during an active incident under time pressure leads to errors and omissions. Pre-draft notification templates for the most likely incident types: credential compromise, data breach, service disruption. Templates should have blanks for specific details but provide the structure, tone, and required elements. Have legal review templates in advance so the approval process during an incident is faster.
confluencenotion
Evidence required
Incident notification policy and procedures
A documented policy defining notification requirements by severity and data type.
- · Incident response policy section defining internal notification requirements
- · Regulatory notification requirement matrix mapping data types to obligations
- · Communication plan in the incident response plan with stakeholder lists
Notification records from past incidents
Evidence that notifications were sent in accordance with defined requirements.
- · Incident ticket history showing notification timestamps
- · Regulatory notification letter from a past breach
- · Internal incident communication records showing escalation timeline
Related controls
Information is shared with designated internal and external stakeholders
Incident Response Reporting and Communication
The impact of the incident is understood
Incident Analysis
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
Organizational Context
Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
Organizational Context