After incidents, the organisation communicates openly and truthfully to affected parties/subjects, without creating additional security risks to the organisation itself.
After (potential) major incidents, the evaluation and lessons learnt will be shared within the industry to improve cyber resilience of the entire sector.
Specification
Communication towards (potential) victims of a data breach includes at a minmum (to the extent the disclosure of this information doesn't pose an active risk to the security):
- the details of the incident,
- the suspected causes,
- the steps taken to mitigate risks,
- what will be done in the future to prevent further incidents and
- what people can do themselves to further reduce their risks.
Furthermore, contact details of the organisation will be given for questions regarding the incident.
ISO 27001 & 27002:2022
A5.2,
A5.24,
A5.25,
A5.26,
A5.27,
A5.28,
A6.8
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
IM.01 Incident management
IM.03 Incident respons on (cyber) security incidents