Framework Category

Incident Response Reporting and Communication

Incident Response Reporting and Communication ensures clear, timely communication during incidents.

It defines roles, notifies internal and external stakeholders, facilitates coordinated response, and supports voluntary information sharing to enhance overall cybersecurity awareness.

Implementation Questions

RS.CO-01

Personnel know their roles and order of operations when a response is needed

Do personnel understand their specific roles, responsibilities, and the order of operations during a security incident response?

This question assesses whether staff members know exactly what actions they need to take when a security incident occurs, including who to contact, what procedures to follow, and in what sequence. Effective incident response requires clear role definition and understanding of the escalation path to minimize confusion and response time during high-stress situations.

RS.CO-02

Internal and external stakeholders are notified of incidents

Does your organization have documented breach notification procedures that include a process for notifying affected customers in the event of a data breach?

This question assesses whether your organization has established formal procedures for responding to data breaches, with specific focus on customer notification requirements. Effective breach notification procedures should define roles and responsibilities, timeframes for notification, communication templates, and compliance with relevant data protection regulations (such as GDPR, CCPA, or industry-specific requirements).

Does your organization have documented procedures for notifying business partners and customers of security incidents in accordance with contractual obligations?

This question assesses whether your organization has established formal processes to communicate security incidents to external stakeholders as required by contracts and agreements. Having clear notification procedures helps maintain trust, enables affected parties to take appropriate actions, and demonstrates compliance with legal and contractual obligations.

Does your organization have documented procedures for notifying law enforcement and regulatory bodies of security incidents that include specific notification criteria and required management approvals?

This question assesses whether your organization has formalized when and how to engage external authorities during security incidents. Proper notification procedures ensure timely reporting to law enforcement and regulatory bodies when legally required or when external assistance is needed, while ensuring appropriate management oversight of these communications.

RS.CO-03

Information is shared with designated internal and external stakeholders

Does your organization have documented processes for securely sharing information during incident response that align with established information sharing agreements?

This question assesses whether your organization has formalized procedures for sharing security incident information with appropriate stakeholders while maintaining confidentiality and compliance with agreements. Secure information sharing during incidents is critical to coordinate effective responses, meet regulatory requirements, and maintain trust with partners and customers.

Does your organization voluntarily share information about observed threat actor tactics, techniques, and procedures (TTPs) with an Information Sharing and Analysis Center (ISAC) or similar industry group after removing sensitive data?

Sharing sanitized threat intelligence about attacker TTPs helps strengthen the collective security posture of your industry by allowing other organizations to prepare defenses against similar attacks. This collaborative approach enables faster identification of emerging threats and more effective response strategies across the sector.

Does your organization have a documented process for notifying HR when malicious insider activity is detected?

This question assesses whether formal communication channels exist between security teams and HR when employees or contractors are found engaging in malicious activities. These activities might include data theft, unauthorized system access, sabotage, or other actions that violate security policies and potentially require disciplinary action.

Does your organization have a formal process for updating senior leadership on the status of major security incidents?

Regular updates to senior leadership during major security incidents ensure proper oversight, enable informed decision-making, and demonstrate appropriate governance of security events. This practice helps leadership understand the business impact of incidents and allocate necessary resources for response and recovery.

Does your organization adhere to the incident information sharing rules and protocols defined in supplier contracts?

This question assesses whether your organization follows the contractually defined procedures for sharing security incident information with suppliers and vice versa. These protocols typically specify what types of incidents must be reported, timeframes for reporting, communication channels, and confidentiality requirements.

Has your organization established and documented crisis communication protocols with all critical suppliers?

Effective crisis communication between your organization and critical suppliers is essential during security incidents, service disruptions, or other emergencies. This ensures timely information sharing, coordinated response efforts, and minimizes operational impact during critical situations. Communication protocols should define contact methods, escalation procedures, response timeframes, and roles/responsibilities for both parties.

RS.CO-04

Coordination with stakeholders occurs consistent with response plans

Does your organization coordinate incident response activities with all relevant stakeholders in accordance with your documented incident response plan?

Effective incident response requires timely communication and coordination with appropriate stakeholders such as executive leadership, legal counsel, IT teams, affected business units, customers, and potentially regulatory bodies or law enforcement. This coordination should follow predefined protocols established in your incident response plan to ensure consistent handling of incidents and appropriate information sharing based on stakeholder roles and responsibilities.

RS.CO-05

Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

Does your organization voluntarily share cybersecurity incident information with external stakeholders to enhance broader cybersecurity situational awareness?

Voluntary information sharing with external stakeholders (such as industry peers, ISACs/ISAOs, government agencies, or supply chain partners) helps create a collective defense posture against cyber threats. By sharing threat intelligence, incident details, and mitigation strategies, organizations contribute to and benefit from improved threat visibility across their ecosystem.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron