Do your contingency plans include comprehensive contact information, communication procedures, scenario handling processes, and clear criteria for prioritization, escalation, and elevation?
Explanation
Effective contingency plans must include detailed contact information for all key personnel, specific communication channels and procedures, documented processes for handling common scenarios, and clear criteria for when to prioritize, escalate or elevate issues. Without these elements, organizations risk delayed responses, miscommunication, and inconsistent handling of incidents during critical situations.
Evidence of fulfillment could include a documented contingency plan template or actual plan that contains sections for: contact directories with roles and alternates, communication protocols with channels and escalation paths, scenario-based response procedures, and a decision matrix for prioritization and escalation criteria.
Implementation Example
Include contact and communication information, processes for handling common scenarios, and criteria for prioritization, escalation, and elevation in all contingency plans
ID: ID.IM-04.190
Context
- Function
- ID: IDENTIFY
- Category
- ID.IM: Improvement
- Sub-Category
- Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved
Related questions
- Does your organization regularly conduct self-assessments of critical services that incorporate current threat intelligence and adversary tactics, techniques, and procedures (TTPs)?
- Has your organization conducted third-party assessments or independent audits of your cybersecurity program within the past 12 months?
- Does your organization utilize automated tools or systems to continuously evaluate compliance with your established cybersecurity requirements?
- Does your organization have a process to identify and implement improvements to incident response procedures based on findings from exercises, tests, and reviews?
- Does your organization have a formal process to identify and implement improvements to business continuity, disaster recovery, and incident response plans based on exercises conducted with critical service providers and suppliers?
- Does your organization involve internal stakeholders (such as senior executives, legal, and HR) in security tests and exercises?

