Comms templates ready
Demonstrate that the organization maintains a complete set of pre-approved, role-specific communication templates that are accessible to authorized personnel and align with incident response and business continuity procedures.
Description
What this control does
Pre-approved communication templates are prepared, tested, and made readily accessible to incident response and business continuity teams for use during security incidents, data breaches, or operational disruptions. These templates cover internal notifications, external stakeholder communications, regulatory breach notifications, customer advisories, and media statements, with placeholders for incident-specific details. Ready templates reduce response time, ensure consistent messaging, meet regulatory notification timelines, and prevent improvised communications that may create legal or reputational risk.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete set of pre-approved, role-specific communication templates that are accessible to authorized personnel and align with incident response and business continuity procedures.
Associated risks
Risks this control addresses
- Delayed breach notifications violate regulatory timelines (GDPR 72-hour, state breach laws), resulting in statutory fines and enforcement actions
- Inconsistent or contradictory public statements during incidents damage organizational credibility and amplify reputational harm
- Unauthorized personnel improvise communications that disclose sensitive investigative details, alerting threat actors or compromising forensic integrity
- Failure to notify affected customers, partners, or third parties in a timely manner exposes them to secondary attacks and increases liability exposure
- Lack of pre-drafted legal hold or regulatory notification language causes missed documentation requirements and adverse legal discovery outcomes
- Uncoordinated internal communications during incidents create confusion, duplicate effort, and impede coordinated response activities
- Missing or outdated contact lists in templates result in failure to reach key stakeholders, executives, or external entities during critical windows
Testing procedure
How an auditor verifies this control
- Request the incident response plan, business continuity plan, and crisis communication policy documents to identify where communication templates are referenced or stored.
- Obtain the complete library of communication templates, including internal notifications, external stakeholder advisories, regulatory breach notifications, customer communications, media statements, and legal hold notices.
- Review each template for completeness, verifying presence of required elements: recipient identification, subject line or purpose, incident placeholder fields, escalation contacts, legal disclaimers, and approval authority.
- Validate that templates include guidance on timing triggers (e.g., 'within 24 hours of containment'), responsible roles (e.g., CISO, Legal, PR), and approval workflows before issuance.
- Cross-reference template contact lists and distribution groups against current organizational directories to confirm accuracy and currency of recipient information.
- Interview incident response team members and communications leads to verify they know where templates are stored, have practiced using them, and understand approval processes.
- Review records from the most recent tabletop exercise or actual incident to determine whether templates were used, how they were adapted, and what gaps were identified.
- Verify templates have been reviewed and approved by legal counsel, compliance, and executive leadership within the past 12 months, with documented review dates and approvers.
Where this control is tested