Does your organization have a documented incident escalation procedure that defines coordination with both internal stakeholders (e.g., management, legal) and external parties (e.g., customers, regulators, law enforcement)?
Explanation
Escalation governance is the subject here, namely whether you have a documented procedure for coordinating incidents with internal stakeholders like management and legal as well as external parties such as customers, regulators, and law enforcement.
Effective incident escalation procedures ensure timely notification to decision-makers, technical teams, legal counsel, affected customers, and regulatory bodies when necessary, preventing communication breakdowns during critical incidents.
Evidence could include an incident response plan document that contains escalation matrices, contact information for stakeholders, criteria for different escalation levels, communication templates, and defined timelines for notifications. This document should clearly show when and how incidents are elevated to senior management, legal teams, customers, regulators, or law enforcement.
Implementation Example
Coordinate incident escalation or elevation with designated internal and external stakeholders
ID: RS.MA-04.318
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- Incidents are escalated or elevated as needed
Related questions
- Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
- Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
- Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
- Does your organization have documented criteria for estimating the severity of security incidents?

