Framework Category
Incident Response Reporting and Communication
Incident Response Reporting and Communication ensures clear, timely communication during incidents.
It defines roles, notifies internal and external stakeholders, facilitates coordinated response, and supports voluntary information sharing to enhance overall cybersecurity awareness.
Implementation Questions
RS.CO-01
Personnel know their roles and order of operations when a response is needed
RS.CO-02
Internal and external stakeholders are notified of incidents
Does your organization have documented breach notification procedures that include a process for notifying affected customers in the event of a data breach?
Breach notification is the concern: whether you maintain documented procedures that include a clear process for notifying affected customers when a data breach occurs. Effective breach notification procedures should define roles and responsibilities, timeframes for notification, communication templates, and compliance with relevant data protection regulations (such as GDPR, CCPA, or industry-specific requirements).
Does your organization have documented procedures for notifying business partners and customers of security incidents in accordance with contractual obligations?
Incident notification to partners is the subject, asking whether you have documented procedures for informing business partners and customers of security incidents per your contractual obligations. Having clear notification procedures helps maintain trust, enables affected parties to take appropriate actions, and demonstrates compliance with legal and contractual obligations.
Does your organization have documented procedures for notifying law enforcement and regulatory bodies of security incidents that include specific notification criteria and required management approvals?
Engaging the authorities is the concern here: whether you have documented procedures, with clear criteria and required approvals, for notifying law enforcement and regulators of security incidents. Proper notification procedures ensure timely reporting to law enforcement and regulatory bodies when legally required or when external assistance is needed, while ensuring appropriate management oversight of these communications.
RS.CO-03
Information is shared with designated internal and external stakeholders
Does your organization have documented processes for securely sharing information during incident response that align with established information sharing agreements?
Controlled information sharing during a response is the subject: the question asks whether you have documented processes for sharing incident information in line with established sharing agreements. Secure information sharing during incidents is critical to coordinate effective responses, meet regulatory requirements, and maintain trust with partners and customers.
Does your organization voluntarily share information about observed threat actor tactics, techniques, and procedures (TTPs) with an Information Sharing and Analysis Center (ISAC) or similar industry group after removing sensitive data?
Sharing sanitized threat intelligence about attacker TTPs helps strengthen the collective security posture of your industry by allowing other organizations to prepare defenses against similar attacks. This collaborative approach enables faster identification of emerging threats and more effective response strategies across the sector.
Does your organization have a documented process for notifying HR when malicious insider activity is detected?
Coordination with HR on insider threats is the concern here: whether a documented process exists for notifying HR when malicious insider activity is detected. These activities might include data theft, unauthorized system access, sabotage, or other actions that violate security policies and potentially require disciplinary action.
Does your organization have a formal process for updating senior leadership on the status of major security incidents?
Regular updates to senior leadership during major security incidents ensure proper oversight, enable informed decision-making, and demonstrate appropriate governance of security events. This practice helps leadership understand the business impact of incidents and allocate necessary resources for response and recovery.
Does your organization adhere to the incident information sharing rules and protocols defined in supplier contracts?
Contractual incident sharing is what's under review, covering whether you adhere to the information-sharing rules and protocols for security incidents set out in your supplier contracts. These protocols typically specify what types of incidents must be reported, timeframes for reporting, communication channels, and confidentiality requirements.
Has your organization established and documented crisis communication protocols with all critical suppliers?
Effective crisis communication between your organization and critical suppliers is essential during security incidents, service disruptions, or other emergencies. This ensures timely information sharing, coordinated response efforts, and minimizes operational impact during critical situations. Communication protocols should define contact methods, escalation procedures, response timeframes, and roles/responsibilities for both parties.
RS.CO-04
Coordination with stakeholders occurs consistent with response plans
RS.CO-05
Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

