Framework Category

Incident Recovery Communication

Incident Recovery Communication ensures transparent, coordinated communication during the recovery phase.

It includes managing public relations, updating stakeholders on recovery progress, repairing reputation, and sharing approved public updates to maintain trust and credibility.

Implementation Questions

RC.CO-01

Public relations are managed

Does your organization have a formal process for managing public relations during and after a security incident?

This question assesses whether your organization has established protocols for communicating with the public, media, customers, and other stakeholders during and after a security incident. Effective public relations management during incident recovery helps maintain trust, control the narrative, and minimize reputational damage while ensuring accurate and appropriate information is released.

RC.CO-02

Reputation is repaired after an incident

Does your organization have a documented process for repairing reputation damage following a security incident?

Reputation management is a critical aspect of incident recovery that extends beyond technical remediation. Organizations should have a clear strategy for addressing stakeholder concerns, managing public communications, and rebuilding trust after a security breach. This typically includes coordinated messaging, transparent communication about remediation efforts, and proactive engagement with affected parties.

RC.CO-03

Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Does your organization have documented procedures for securely sharing recovery information and restoration progress with stakeholders during incident response?

During a security incident or disaster recovery scenario, it's critical that appropriate stakeholders receive timely updates about recovery efforts while ensuring sensitive information remains protected. This question assesses whether your organization has formalized how recovery information is shared, with whom, through what secure channels, and at what frequency during an incident response.As evidence, you could provide a section of your incident response plan that specifically outlines recovery information sharing protocols, including designated communication channels, authorized spokespersons, information classification guidelines for recovery data, and templates for status updates that balance transparency with security considerations.

Does your organization have a formal process for updating senior leadership on the recovery status and progress during major security incidents?

Regular updates to senior leadership during major incidents ensure they have visibility into the recovery efforts, can make informed decisions, and provide necessary resources to support the incident response team. These updates typically include current status, estimated time to resolution, business impact assessment, and any escalation needs.

Does your organization adhere to contractually defined rules and protocols for incident information sharing with suppliers?

This question assesses whether your organization follows the specific incident reporting and information sharing requirements established in supplier contracts. These requirements typically include timeframes for notification, types of incidents that must be reported, communication channels, and the level of detail required when sharing incident information.

Has your organization established a formal process for coordinating crisis communication with critical suppliers during security incidents?

This question assesses whether your organization has established clear protocols for communicating with critical suppliers during cybersecurity incidents or crises. Effective crisis communication with suppliers is essential to coordinate response efforts, minimize disruption to the supply chain, and ensure all parties have accurate information to make informed decisions during an incident.

RC.CO-04

Public updates on incident recovery are shared using approved methods and messaging

Does your organization have documented breach notification procedures that are followed during data breach recovery incidents?

This question assesses whether your organization has established formal procedures for notifying affected parties and relevant authorities when a data breach occurs, and whether these procedures are consistently followed during incident recovery. Proper breach notification procedures ensure timely communication with affected individuals, regulatory compliance, and appropriate remediation steps to minimize damage from the breach.

Has your organization documented an incident recovery plan that includes steps for both remediation and prevention of future similar incidents?

An effective incident recovery plan should outline specific actions to restore normal operations after a security incident and implement measures to prevent recurrence. This includes root cause analysis, system restoration procedures, and specific security improvements to address identified vulnerabilities.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron