Are out-of-band communications (e.g. Signal, separate phones) pre-arranged in case email and chat are encrypted?
Demonstrate that the organization has documented, tested, and operationally ready out-of-band communication mechanisms for use when primary communication systems are compromised by ransomware or encryption attacks.
Description
What this control does
This control ensures the organization has pre-established out-of-band (OOB) communication channels and procedures for use during a ransomware or cryptographic attack that renders primary communication systems (email, corporate chat, file shares) inaccessible or compromised. Pre-arranged OOB methods typically include dedicated mobile devices, encrypted messaging apps (Signal, WhatsApp), personal phone numbers, or alternative network infrastructure maintained separately from production systems. These channels enable incident response coordination, executive decision-making, and communication with external parties (law enforcement, cyber insurance, forensics vendors) when standard communication infrastructure is encrypted, unavailable, or untrusted.
Control objective
What auditing this proves
Demonstrate that the organization has documented, tested, and operationally ready out-of-band communication mechanisms for use when primary communication systems are compromised by ransomware or encryption attacks.
Associated risks
Risks this control addresses
- Incident response paralysis when ransomware encrypts email servers and collaboration platforms, preventing coordination among responders
- Inability to contact executive leadership or board members for critical decisions during active encryption events
- Loss of communication with third-party incident response vendors, forensics teams, or law enforcement during critical response windows
- Delayed notification to cyber insurance carriers or legal counsel, potentially voiding coverage or creating regulatory exposure
- Attackers impersonating legitimate personnel via compromised communication channels, leading to further compromise or ransom payment to wrong parties
- Extended downtime and increased ransom negotiation leverage for attackers when organization cannot coordinate recovery efforts internally
- Failure to coordinate with unaffected business units or backup sites, preventing timely failover or continuity operations
Testing procedure
How an auditor verifies this control
- Request and review the organization's incident response plan and business continuity plan to identify documented out-of-band communication procedures for ransomware scenarios.
- Obtain the roster or contact list containing pre-arranged OOB communication details (Signal usernames, dedicated phone numbers, personal email addresses) for incident response team members, executives, and critical third parties.
- Interview the CISO or incident response manager to understand how OOB communication channels are provisioned, maintained, and updated when personnel changes occur.
- Verify that OOB communication devices or applications are physically separate from corporate infrastructure (e.g., dedicated mobile devices not managed by MDM, personal devices with separate accounts).
- Review tabletop exercise or simulation records from the past 12 months to confirm OOB communication procedures have been tested during ransomware scenario drills.
- Select a sample of three incident response team members and verify they have access to designated OOB communication tools (e.g., can demonstrate Signal app with correct group membership or possess dedicated contact device).
- Examine change management or configuration records showing OOB contact information is stored in physically or logically separated repositories (printed documents in safe, offline storage, or external secure location).
- Review vendor contracts or retainer agreements with incident response firms to confirm OOB contact methods are documented and mutually known outside corporate email systems.