Cybersecurity incident response plans include a communications plan for internal and external stakeholders
Context and Guidance: Cybersecurity incident response activities may require the involvement of stakeholders from across the organisation, such as public relations team members and legal representatives. These stakeholders may support activities to mitigate potential reputational harm during and after response to a cybersecurity incident. Organisations should consider the types of communication that may be necessary to keep internal and external stakeholder informed during recovery activities, for example, executives and management teams may need to be informed if specific actions are executed or if the incident response team determines an incident may cause reputational harm to the organisation. Be advised that organisations often have a crisis communications plan in place that is separate and distinct from cybersecurity incident response plans. In this case, the cybersecurity incidence response plan should make reference to and utilise the process defined in the crisis communications plan when executing incident communications to internal and external stakeholders. If such a plan exists, it may be considered an effective substitute for practice RESPONSE-3f but only if it is specifically referenced in the incident response plans.
Related Practices • Information Sharing: This practice is part of a group of cross-domain practices that enable information sharing with organisational stakeholders. These include: THREAT-1i, THREAT-2h, THREAT-2k, RISK-1c1d, SITUATION-3a, SITUATION-3c, SITUATION-3d, SITUATION-3e, RESPONSE-2g, RESPONSE-3c, RESPONSE-3f. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RESPONSE-3a, RESPONSE-3d, RESPONSE-3f, RESPONSE-3g, RESPONSE-3h, RESPONSE-3i.