Skip to main content
← All controls
CP-2 / CP-8 / IR-4 NIST SP 800-53 Rev 5

Are out-of-band communications pre-arranged for use when email and chat are unavailable (Signal/WhatsApp groups, separate phones, alt mail)?

Demonstrate that the organization has established, tested, and documented alternative communication channels independent of primary corporate infrastructure for use during incidents when standard communication platforms are unavailable or untrusted.

Description

What this control does

Out-of-band (OOB) communication channels are pre-established alternate methods for critical personnel to communicate during incidents when primary systems (email, corporate chat, VoIP) are compromised, degraded, or unavailable. These channels typically include encrypted messaging apps (Signal, WhatsApp, Telegram), personal mobile devices with pre-loaded contact rosters, alternative email domains not hosted on corporate infrastructure, and documented emergency phone trees. Pre-arrangement ensures contacts, authentication, and procedures are validated before an emergency, preventing coordination failures during active attacks such as ransomware, DDoS, or insider threats targeting communication infrastructure.

Control objective

What auditing this proves

Demonstrate that the organization has established, tested, and documented alternative communication channels independent of primary corporate infrastructure for use during incidents when standard communication platforms are unavailable or untrusted.

Associated risks

Risks this control addresses

  • Ransomware attackers encrypting email servers and collaboration platforms prevent incident response coordination, enabling attackers to continue operations unimpeded
  • Sophisticated threat actors compromise corporate email and chat to eavesdrop on incident response activities, gaining intelligence to evade detection and countermeasures
  • Distributed Denial-of-Service attacks against corporate infrastructure render email and chat unavailable during coordinated multi-vector attacks requiring urgent response
  • Insider threats with administrative access disable or monitor corporate communication systems to conceal malicious activity and prevent detection
  • Cloud service provider outages affecting email and collaboration tools prevent crisis communication during time-sensitive security incidents requiring immediate coordination
  • Legal or regulatory events requiring communication about breach notification, law enforcement coordination, or executive decision-making cannot occur if corporate systems are evidence or under seizure
  • Lack of pre-established alternate channels forces ad-hoc coordination attempts during crises, resulting in incomplete team assembly, delayed response, and miscommunication

Testing procedure

How an auditor verifies this control

  1. Request and review the documented out-of-band communication plan, including designated platforms (Signal, WhatsApp, personal phones), contact rosters, group memberships, and activation procedures
  2. Interview the CISO or incident response lead to confirm which personnel roles are required to participate in OOB channels and verify their understanding of when to activate alternate communications
  3. Obtain evidence that designated OOB communication applications are installed and configured on authorized devices, including screenshots of group memberships or contact lists showing IR team members
  4. Select a sample of 5-7 critical incident response personnel and verify their personal contact information (mobile numbers, personal email, messaging app handles) is current in the OOB roster
  5. Review test or exercise records from the past 12 months demonstrating OOB channels were activated and used in tabletop exercises, simulations, or actual incidents
  6. Verify that OOB communication channels are operationally independent from corporate infrastructure by confirming they use non-corporate devices, networks, or hosting (e.g., personal phones, non-corporate email domains)
  7. Examine access control measures for OOB channels including authentication requirements, encryption settings, and procedures to prevent unauthorized joining of communication groups
  8. Review change management records showing OOB contact rosters and group memberships are maintained during personnel changes, with quarterly or incident-triggered validation cycles documented
Evidence required Documented out-of-band communication plan with platform selections, contact rosters, and activation procedures; screenshots or exports showing configured OOB communication groups (Signal groups, WhatsApp participant lists, alternative email distribution lists) with IR team membership; test or exercise reports demonstrating OOB channel activation within the past 12 months; interview notes confirming personnel awareness and readiness; roster update logs or change tickets showing maintenance activities.
Pass criteria The organization maintains documented, tested out-of-band communication channels independent of corporate infrastructure, with current contact information for all critical incident response personnel, and evidence of successful activation testing within the past 12 months.