Incident response: How to implement a communication plan
Communication is critical to an effective incident response plan. Here are best practices for communication planning and an editable template to help you get started.
An incident response communication plan is a crucial component of an organization's broader incident response strategy. As with other elements of incident response planning, organizations should develop their crisis communications plans during a calm period to enable sound decision-making. Attempting to make good choices while in the high-pressure environment surrounding a security incident is a recipe for disaster.
Let's examine the steps CISOs and their teams can take to ensure their organization's cybersecurity incident communication plan is as effective as possible.
Involve senior management and other stakeholders
When preparing a communications plan tailored to a cyberattack or other cybersecurity incident, give senior management and other departments, such as legal, HR, marketing and PR, the opportunity to contribute to it. Once written, obtain final approval from senior management for the program.
Build the plan in accordance with standards and regulations
Review relevant standards, regulations and frameworks that address cybersecurity, incident response and communications. This ensures the plan aligns with established standards and best practices and that it addresses the appropriate issues.
For example, organizations subject to certain regulations, such as the GDPR, CCPA and the EU Network and Information Security Directive 2, must ensure their incident response plans are consistent with the requirements of these regulations.
Evaluate guidance from industry groups and government entities, such as "NIST Special Publication 800-61 Revision 3: Incident Response Recommendations and Considerations for Cybersecurity Risk Management," "ISO/IEC 27035-1:2023 Information technology -- Information security incident management" and CISA's National Cyber Incident Response Plan (2024).
Additional incident response frameworks to consider include the NIST Cybersecurity Framework, SANS Institute's Incident Response Framework and the Center for Internet Security's Control 19, Incident Response and Management.
Formalize the incident response team activation process
The first step in the incident response communication process is the activation of the incident response team. Any employee suspecting a security incident should contact their organization's security operations center (SOC) or other designated 24/7 monitoring point. The SOC should then follow a standard triage process to determine if the event warrants the activation of the incident response team.
Note that some organizations establish a formal computer security incident response team or computer incident response team, or put incident response under the purview of the SOC.
Once the has SOC determined that team activation is required, time is of the essence. Consider establishing a capability to generate alerts, using tools such as PagerDuty or FireHydrant. Emergency notification systems, such as those from AlertMedia and Envoy, can also be configured for incident response communications. These tools manage the process of scheduling calls and sending alert messages. Offloading these tasks to a dedicated platform reduces the burden on SOC analysts and enables the incident response team to convene faster. Many of these systems use AI elements to improve incident management.
Designate a point person for external and internal communication
As soon as word leaks of a security incident, internal personnel and external stakeholders -- including employees, customers, vendors and suppliers, the media, regulators and more -- will begin clamoring for information. It's therefore critical to coordinate all resources when communicating the response. This helps control rumors and ensures the organization presents a clear and consistent message across communication channels.
Create a communication role on the incident response team. This person provides a consistent view of the incident to internal and external parties through regular updates.
The person who holds the communication role does not need to possess deep technical knowledge, but they should have familiarity with concepts to serve as both a translator and filter for the technical information emerging from the response team. A glossary can help ensure the vocabulary used in written and verbal communications is correct and consistent.
Create criteria for involvement of law enforcement
Three of the most crucial decisions facing an incident response team dealing with a cybersecurity event are the following:
- Whether it is appropriate to involve law enforcement.
- When notification of law enforcement should take place.
- Whether additional third parties should be notified and engaged.
These are difficult decisions because law enforcement involvement often changes the nature of an investigation and increases the likelihood of public attention. On the other hand, law enforcement personnel have access to investigative tools, such as search warrants, that are unavailable to internal teams.
Certain incidents might require the assistance of third-party services experienced in cybersecurity and incident response. These organizations have tools to diagnose and remediate a cyberattack.
Incident response communication plans should address these quandaries by outlining clear criteria for when the team should notify law enforcement and request third-party services. The plan should identify who on the team has the authority to make that determination and what internal notifications should take place prior to involving law enforcement and others. For example, the team should consult with executive leadership and legal counsel prior to involving the authorities.
Develop communication templates for customer outreach
Many cybersecurity incidents require some level of communication with customers or the general public; incident response communication plans should account for this.
This might involve a notification in the event of an unauthorized release of personally identifiable information, or it might be an explanation to customers of a service disruption. The frequency, quality and content of these communications have a significant effect on public perception. These factors could limit or magnify the reputational damage associated with a cybersecurity incident.
That's why communication templates are so critical to an incident response communication plan, especially in the aftermath of a cybersecurity incident. They are perhaps the most important tool that a communication planning team can provide to incident responders. Crafting a thoughtful and careful notification message can be challenging, and many stakeholders will want to be involved, including account managers, executives, lawyers, and PR experts.
Develop preapproved incident response communication templates in advance so the incident response team simply needs to fill in the blanks and tweak template language, as necessary. Periodically review incident message templates to ensure they are up to date.
These are difficult decisions because law enforcement involvement often changes the nature of an investigation and increases the likelihood of public attention. On the other hand, law enforcement personnel have access to investigative tools, such as search warrants, that are unavailable to internal teams.
Incident response communication plans should address this quandary by outlining clear criteria for when the team should notify law enforcement. The plan should also identify who on the team has the authority to make that determination and what internal notifications should take place prior to involving law enforcement. For example, the team should likely consult with both executive leadership and legal counsel prior to involving the authorities.
Develop communication templates for customer outreach
Many cybersecurity incidents require some level of communication with customers or the general public; incident response communication plans should account for this.
This might involve a notification in the event of an unauthorized release of personally identifiable information, or it might be an explanation to customers of a service disruption. The frequency, quality and content of these communications have a significant effect on public perception. These factors could limit or magnify the reputational damage associated with a cybersecurity incident.
That's why communication templates are so critical to an incident response communication plan, especially in the aftermath of a cybersecurity incident. They are perhaps the most important tool that a communication planning team can provide to incident responders. Crafting a thoughtful and careful notification message can be challenging, and many stakeholders will want to be involved, including account managers, executives, lawyers, and PR experts.
Develop preapproved incident response communication templates in advance so the incident response team simply needs to fill in the blanks and tweak template language, as necessary. Periodically review incident message templates to ensure they are up to date.
Incident response communication policy template
Click here to access our editable incident response communication policy template. Use it as a starting point for content and structure.
Monitor social media
Social media is an important channel of communication between many organizations and the public. Customers are quick to publicly voice their displeasure with an organization. While companies should regularly monitor their social media mentions, this becomes crucially important during a cyberattack or similar crisis.
Social media feeds can provide the incident response team with a quick read on customer sentiment and serve as a trigger for rapid intervention if rumors start to spiral out of control. In addition, social media reports could provide the team with important indicators of service performance, information disclosures and other facts that might shape their response priorities.
Rapid and effective communication is an essential component of a strong response to a significant cybersecurity incident, such as a data breach. Solid incident communication plans provide mechanisms for the following:
- Rapidly notifying stakeholders.
- Coordinating internal communications and external communications.
- Monitoring customer sentiment.
These tools improve the organization's ability to respond to a crisis and help minimize reputational damage.
Emphasize training and awareness
Train all employees on crisis communications activities and their respective roles and responsibilities in the event of a cyberattack. This includes everything from ensuring all employees are aware of when to report suspected incidents to the SOC, to ensuring the person in the communication role has an up-to-date list of who to speak with in the wake of an incident. Review training regularly to keep employees up to date.
Editor's note: This article was originally written by Mike Chapple. It was updated in 2025 by Paul Kirvan.
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.
