Is there a clear communications plan for incidents (internal, customer, regulator, media)?
Demonstrate that the organization maintains a documented, role-based communications plan specifying internal and external notification procedures, timelines, thresholds, and authorized contacts for security incidents.
Description
What this control does
An incident communications plan defines pre-authorized communication channels, roles, templates, and escalation procedures for notifying internal stakeholders, affected customers, regulatory bodies, and the media during and after a security incident. The plan specifies thresholds that trigger each type of notification, designates authorized spokespersons, and includes pre-drafted messaging templates to ensure timely, consistent, and legally compliant disclosure. This control ensures the organization can manage reputational risk, meet legal obligations for breach notification, and maintain trust during crises.
Control objective
What auditing this proves
Demonstrate that the organization maintains a documented, role-based communications plan specifying internal and external notification procedures, timelines, thresholds, and authorized contacts for security incidents.
Associated risks
Risks this control addresses
- Delayed or absent regulatory notifications result in statutory penalties and enforcement actions for non-compliance with breach notification laws
- Inconsistent or contradictory public statements damage organizational reputation and erode stakeholder trust during incident response
- Unauthorized personnel disclose sensitive incident details to media or third parties, exposing the organization to legal liability
- Affected customers learn of breaches through media or third parties before receiving direct notification, amplifying reputational harm and litigation risk
- Internal teams receive incomplete or conflicting information, causing uncoordinated response actions and prolonged recovery times
- Failure to notify law enforcement or sector-specific regulators within mandated timeframes triggers additional investigative scrutiny and sanctions
- Ambiguous escalation criteria cause incident responders to delay critical notifications, missing narrow reporting windows required by statute
Testing procedure
How an auditor verifies this control
- Obtain the current version of the incident communications plan including all appendices, notification templates, and escalation matrices.
- Verify the plan explicitly defines notification thresholds for each audience type (e.g., customers, regulators, media) based on incident severity, data type, and affected record counts.
- Confirm the plan identifies specific regulatory notification requirements (e.g., GDPR 72-hour rule, state breach notification statutes, SEC 4-day disclosure) with corresponding timelines and contact information.
- Review the roster of authorized spokespersons and communication approvers, cross-referencing against current organizational charts and delegation-of-authority documents.
- Select three incidents from the past 12 months and trace notification activities against plan requirements, verifying timelines, recipients, and content approval workflows.
- Interview the incident response lead and legal counsel to confirm awareness of notification thresholds and decision-making authority during active incidents.
- Examine communication templates for customers, regulators, and media to verify they include required elements such as breach description, data elements affected, and remediation steps.
- Request evidence of plan testing (tabletop exercises or simulations) within the past year that included communications workflows and stakeholder notification procedures.