Define Roles and Communications in Plan
Plain English Translation
An incident response plan is only effective if everyone understands their incident response roles and responsibilities when an emergency strikes. Organizations must clearly define who is responsible for managing cyber incidents and maintain an up-to-date incident response communication plan that includes internal teams and external stakeholders like regulators or breach counsel. Furthermore, alternative communication mechanisms must be established, and a hard copy of the incident response plan must be kept available in case digital systems are compromised.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Identify an incident commander and key technical responders.
- Draft a simple call tree and incident response contact list template.
- Print a hard copy of the incident response plan and store it securely.
- Determine a primary out-of-band communication app (e.g., Signal or WhatsApp) for emergencies.
Required Actions (scaleup)
- Develop a formalized incident response RACI matrix.
- Integrate contact list updates into standard employee offboarding and onboarding checklists.
- Define secure communication procedures for engaging breach counsel and external vendors.
Required Actions (enterprise)
- Maintain dynamic, automated on-call schedules and incident response escalation paths.
- Establish dedicated incident war rooms and standardized communication bridges.
- Regularly test out-of-band communication mechanisms across distributed teams.
Evidence Required
The plan must identify key personnel responsible for handling the incident, including the incident commander, technical responders, communications lead, and legal liaison.
Include phone numbers, alternate emails, and titles for internal staff, as well as contact details for external parties like breach counsel, cyber insurance providers, regulators, and managed service providers.
Map out the sequence of who to notify based on the incident's severity, starting with the initial responder and escalating up to the incident commander, senior leadership, and external legal counsel.
Contact lists and roles should be reviewed at least annually, or immediately following organizational changes, to ensure no critical gaps exist during an actual incident.
Document both primary and secondary mechanisms, ensuring out-of-band communication procedures, such as secure mobile chat apps or personal phones, are ready if the corporate network is compromised.
The incident commander is typically a senior IT or security leader appointed by top management who coordinates the overall response, authorizes containment actions, and manages communications.
Establish a dedicated logging process or assign a war room scribe to record all decisions, timelines, and communications to support post-incident reporting and lessons learned.
Yes, CyberSecure Canada requires an up-to-date hard copy of the incident response plan to be stored in a secure, accessible physical location in case digital systems become unavailable.
Integrate contact list reviews into standard employee onboarding and offboarding checklists to guarantee immediate updates when team members join or depart the organization.
Section 5.1.2.2 mandates detailing handling responsibilities, documenting contact info for external parties and regulators, specifying communication mechanisms, and keeping a printed hard copy of the plan.
Keeping roles and contact lists current is hard because people change roles, vendors rotate, and phone numbers go stale. Tools like WatchDog Security's Policy Management can centralize the incident response plan, enforce version control, and require acknowledgements from named role owners when the plan is updated so changes are reviewed and accepted rather than living in outdated documents.
Auditors typically look for evidence the plan exists, is current, and is accessible even during a network outage (including a printed copy). Tools like WatchDog Security's Compliance Center can track the plan and contact list as required artifacts, capture review/approval evidence, and flag overdue reviews so the organization can keep both soft-copy and hard-copy availability aligned with the control.
"The incident response plan shall detail who is responsible for handling incidents including any relevant contact information for communicating to external parties, stakeholders and regulators (such as breach counsel), as well as what mechanisms to use for communicating during an incident response. The organization shall have an up-to-date hard copy version of this plan available for situations where soft copies are not available."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-24 | WatchDog Security GRC Team | Initial publication |
