IR-3 / A.5.24 / CIS-17.9 NIST SP 800-53 Rev 5

Breach notification process tested

Demonstrate that the organization has tested its breach notification procedures within a defined timeframe and validated that notifications can be executed in compliance with regulatory timelines and stakeholder requirements.

Description

What this control does

This control requires organizations to periodically test their data breach notification process through simulated exercises or tabletop scenarios. Testing validates that procedures for identifying, classifying, escalating, and notifying stakeholders (customers, regulators, partners) of security incidents function as documented. Regular testing ensures notification timelines meet regulatory requirements, communication templates are current, decision trees are understood, and notification workflows integrate with incident response and legal review processes.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Failure to meet mandatory breach notification deadlines imposed by GDPR, state breach laws, or sector-specific regulations, resulting in regulatory fines
Inadequate or inaccurate breach notifications to affected individuals causing reputational damage and loss of customer trust
Miscommunication or delayed escalation to legal, compliance, or executive leadership during an actual breach event
Incomplete notification to regulatory bodies or law enforcement due to unclear procedures or missing contact information
Use of outdated notification templates that do not reflect current organizational structure, services, or legal requirements
Failure to identify all affected parties or data elements during breach assessment, leading to incomplete disclosure
Inability to coordinate multi-channel notification (email, postal mail, website, media) within compressed timeframes during a real incident

Testing procedure

How an auditor verifies this control

Request and review the documented breach notification policy and procedures, including defined timelines, roles, responsibilities, and notification templates.
Obtain records of the most recent breach notification exercise or test, including the scenario used, participants involved, and date conducted.
Review the test scenario to verify it included trigger identification, breach classification, stakeholder identification, regulatory determination, and notification execution steps.
Examine documentation showing which personnel participated in the test, including representation from incident response, legal, compliance, communications, and executive leadership.
Analyze the after-action report or lessons-learned document to identify gaps, timeline deviations, or process failures identified during the test.
Verify that corrective actions from previous tests have been implemented by reviewing remediation tracking records and updated procedures.
Confirm that the test validated notification timelines against applicable regulatory requirements (e.g., 72-hour GDPR deadline, state-specific timeframes).
Review evidence that notification templates, contact lists, and escalation paths were validated or updated as part of the testing exercise.

Evidence required Collect the breach notification policy document, test scenario and exercise plan, participant sign-in sheets or attendance records, after-action report with timeline analysis, updated notification templates and contact lists, remediation tracking logs showing closure of identified gaps, and any tabletop exercise facilitator notes or recordings.

Pass criteria The control passes if the organization has conducted a breach notification test within the past 12 months that included scenario-based validation of notification procedures, involved appropriate stakeholders, documented results and gaps, and implemented corrective actions from previous tests.

Where this control is tested

Audit programs including this control

GDPR Readiness Quick Check

A practical 30-minute self-check on the GDPR controls that fail most audits — not a full DPIA.