Docy Child

BIZOPS-32 – Breach Notification

Estimated reading: 2 minutes 273 views

What is this control really about?

This control is about having a process for notifying customers, media and relevant parties following a breach of information in a timely manner. This is a good practice for any organization. The process should involve:

  •  appropriate identification of breaches
  •  identification of the affected parties to notify
  •  a process to send notification in writing via first-class mail or email
  • A process to ensure the notification is sent without delay a notification no later than 60 days

Available tools in the marketplace 

  • No tools recommendation for this section

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

What is required to implement this control?

First, a process needs to be documented to guide personnel in the assessment of a breach. The process can be included in your existing security incident management policy and must include the following section:

  • Breach risk assessment – This section should address the process of determining that a breach has occurred.
  • Affected individuals – This section should address how to identify the affected individuals
  • Notification timeline – This section should address when and how to notify the affected individuals

The templates linked above will help you get started.

Secondly, you need to assign designated personnel responsible for notifying affected individuals.

Lastly, a template should be created to track breaches and notification to affected individuals.

What evidence is the auditor looking for?

  • A documented breach notification procedure
  • Breach reporting template or form used to track breaches and notifications (if no breaches had occurred) and  breach notification letter for a recent breach

Artifact example

  1. A documented breach notification procedure
  1. Breach report form used to track breaches and notifications

Link to a breach notification assessment  or, a recent breach notification form

bizops 32 2

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.