Is there a written external communications plan covering customers, partners, regulators and (if relevant) press?
Demonstrate that a formally documented external communications plan exists, is approved, maintained, and includes defined procedures for notifying customers, partners, regulators, and press during security incidents or events.
Description
What this control does
This control requires a documented external communications plan that defines roles, responsibilities, messaging, approval workflows, and contact lists for communicating security incidents or significant events to external stakeholders including customers, business partners, regulatory bodies, and the media. The plan should specify thresholds for disclosure, timelines, communication channels, templates, and escalation paths to ensure consistent, accurate, and legally compliant messaging during crisis situations. Without this plan, organizations risk inconsistent messaging, regulatory non-compliance, reputational damage, and loss of stakeholder trust during security incidents.
Control objective
What auditing this proves
Demonstrate that a formally documented external communications plan exists, is approved, maintained, and includes defined procedures for notifying customers, partners, regulators, and press during security incidents or events.
Associated risks
Risks this control addresses
- Inconsistent or contradictory public statements during an incident erode customer trust and amplify reputational damage
- Failure to notify regulators within mandated timeframes results in fines, sanctions, or enforcement actions under breach notification laws
- Uncoordinated media responses by unauthorized personnel lead to disclosure of sensitive investigative details or technical vulnerabilities
- Delayed or absent customer notification allows attackers to exploit compromised credentials or systems at downstream organizations
- Lack of pre-approved messaging templates causes legal review bottlenecks that delay critical notifications during active incidents
- Absence of defined stakeholder contact lists results in incomplete notifications, leaving affected partners unaware of supply chain compromises
- Unauthorized external communications violate regulatory requirements for designated breach notification roles and responsibilities
Testing procedure
How an auditor verifies this control
- Request the current version of the external communications plan and verify it includes dedicated sections for customers, partners, regulators, and press/media.
- Review the plan to confirm it defines specific notification triggers, thresholds, and timelines for each stakeholder category aligned with applicable breach notification regulations.
- Examine the plan for documented roles and responsibilities including authorized spokespersons, legal counsel approval requirements, and escalation paths.
- Verify the plan includes or references pre-approved message templates, holding statements, and communication channels for each stakeholder type.
- Inspect stakeholder contact lists or references to contact repositories to confirm mechanisms exist for reaching customers, partners, regulatory contacts, and media relations.
- Review approval records or version history to confirm the plan was formally approved by executive leadership, legal, and communications functions.
- Interview incident response personnel to validate awareness of the plan and their specific responsibilities during external communications scenarios.
- Select one prior security incident or exercise involving external communication and trace execution against the documented plan to assess practical adherence.