Controls

Terug naar overzicht
Version

SB.4.007 Communicating about incidents

Crisis & Incident Response
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description

After incidents, the organisation communicates openly and truthfully to affected parties/subjects, without creating additional security risks to the organisation itself.

After (potential) major incidents, the evaluation and lessons learnt will be shared within the industry to improve cyber resilience of the entire sector.

Specification

Communication towards (potential) victims of a data breach includes at a minmum (to the extent the disclosure of this information doesn't pose an active risk to the security):

  • the details of the incident,
  • the suspected causes,
  • the steps taken to mitigate risks,
  • what will be done in the future to prevent further incidents and
  • what people can do themselves to further reduce their risks.

Furthermore, contact details of the organisation will be given for questions regarding the incident.

Specification

ISO

Communication towards (potential) victims of a data breach includes at a minmum (to the extent the disclosure of this information doesn't pose an active risk to the security): the details of the incident, the suspected causes, the steps taken to mitigate risks, what will be done in the future to prevent further incidents and what people can do themselves to further reduce their risks. Furthermore, contact details of the organisation will be given for questions regarding the incident.

NBA