BIZOPS-53 – Incident Communication

What is this control really about?

This control is about implementing a process to rapidly notify internal and external stakeholders when an incident occurs. Why is this control needed? It help engage all stakeholders when an event occurs.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Guideline for a communication plan
• Example of communication plan from GitLab

What is required to implement this control?

A communication plan should be documented into a procedure or a template. The procedure or template should include:

• Targeted audience – this section should include who should be reached in the event of an incident or event
• Defining the key messages – this section should include the type of communication that would resonate with the stakeholder. Some examples of key messages.
• Creating an outreach plan – this section should include how the message will be delivered to the target audience
• Notification timeline –  this section should define the timeline to notify and communicate the message
• Create a plan for adhoc incidents – this section should include a process for quickly addressing  and communication on emergency incidents.

What evidence is the auditor looking for?

• A documented template or procedure of your communication plan

An example of what an artifact can look like

1. A documented template or procedure of your communication plan

Atlassian has a great template

Another great external template