Has your organization established and documented crisis communication protocols with all critical suppliers?
Explanation
Effective crisis communication between your organization and critical suppliers is essential during security incidents, service disruptions, or other emergencies. This ensures timely information sharing, coordinated response efforts, and minimizes operational impact during critical situations. Communication protocols should define contact methods, escalation procedures, response timeframes, and roles/responsibilities for both parties.
Evidence could include a documented crisis communication plan specific to suppliers, contact lists with emergency points of contact, templates for crisis notifications, records of communication tests or drills with suppliers, or formal agreements (such as Business Continuity Plans or Incident Response Plans) that include communication protocols.
Implementation Example
Coordinate crisis communication methods between the organization and its critical suppliers
ID: RS.CO-03.338
Context
- Function
- RS: RESPOND
- Category
- RS.CO: Incident Response Reporting and Communication
- Sub-Category
- Information is shared with designated internal and external stakeholders
Related questions
- Do personnel understand their specific roles, responsibilities, and the order of operations during a security incident response?
- Does your organization have documented breach notification procedures that include a process for notifying affected customers in the event of a data breach?
- Does your organization have documented procedures for notifying business partners and customers of security incidents in accordance with contractual obligations?
- Does your organization have documented procedures for notifying law enforcement and regulatory bodies of security incidents that include specific notification criteria and required management approvals?
- Does your organization have documented processes for securely sharing information during incident response that align with established information sharing agreements?
- Does your organization voluntarily share information about observed threat actor tactics, techniques, and procedures (TTPs) with an Information Sharing and Analysis Center (ISAC) or similar industry group after removing sensitive data?

