Incident Communication Plan Template
Organization: [Your Organization Name]
Version: 1.0
Last Updated: [Date]
1. Communication Objectives
- Ensure timely and accurate information sharing among all stakeholders
- Prevent unauthorized disclosure of incident details
- Comply with regulatory notification requirements
- Maintain stakeholder confidence
- Preserve legal privilege where appropriate
2. Communication Channels
Primary Channels
| Channel |
Use Case |
Access |
| [Secure messaging platform] |
IRT tactical communications |
IRT members only |
| [Conference bridge] |
Real-time incident calls |
IRT + escalated stakeholders |
| [Incident tracking system] |
Status tracking and documentation |
IRT + management |
| Direct phone calls |
Urgent escalations |
All stakeholders |
Backup Channels (if primary infrastructure is compromised)
| Channel |
Use Case |
Setup Instructions |
| Personal cell phones |
Emergency contact |
Printed contact list distributed to IRT |
| [External messaging app] |
Out-of-band chat |
Pre-configured group: [group name] |
| [External conference line] |
Backup bridge |
Dial-in: [number], PIN: [pin] |
Important: If email infrastructure may be compromised, do NOT use corporate email for incident communications.
3. Notification Matrix
Internal Notifications
| Severity |
Notify Immediately |
Notify Within 1 Hour |
Notify Within 4 Hours |
| SEV-1 |
IR Manager, CISO, CEO, Legal |
Full IRT, CTO, CFO, HR |
All IT staff, Board Chair |
| SEV-2 |
IR Manager, CISO |
IRT members, System Owners |
CTO, Department Heads |
| SEV-3 |
On-call analyst, IR Manager |
IRT lead analyst |
System Owners |
| SEV-4 |
On-call analyst |
IR Manager (next business day) |
N/A |
External Notifications
| Stakeholder |
Trigger |
Timeline |
Prepared By |
Approved By |
| Cyber Insurance Carrier |
Any potentially covered incident |
Per policy terms |
Legal |
IR Manager |
| FBI/Law Enforcement |
Criminal activity, nation-state |
Within 72 hours |
Legal |
CEO |
| CISA |
Critical infrastructure impact |
Within 72 hours |
IR Manager |
Legal |
| HHS/OCR (HIPAA) |
PHI breach, 500+ individuals |
Within 60 days |
Privacy Officer |
Legal |
| State Attorney General |
PII breach per state law |
Per state statute |
Legal |
CEO |
| Affected Individuals |
PII/PHI breach confirmed |
Per applicable law |
Communications |
Legal |
| Business Partners |
Shared data impacted |
Per contract terms |
Account Management |
Legal |
| Media |
Public-facing incident |
As needed |
Communications Lead |
Legal + CEO |
4. Status Update Schedule
During Active Incidents
| Severity |
IRT Updates |
Executive Updates |
Organization Updates |
| SEV-1 |
Every 1 hour |
Every 2 hours |
Daily or as needed |
| SEV-2 |
Every 2 hours |
Every 4 hours |
As needed |
| SEV-3 |
Every 4 hours |
Daily |
Post-resolution |
| SEV-4 |
Daily |
As needed |
Post-resolution |
INCIDENT STATUS UPDATE
Incident ID: [IR-YYYY-###]
Severity: [SEV-X]
Status: [Investigating / Containing / Eradicating / Recovering / Closed]
Time: [YYYY-MM-DD HH:MM TZ]
SUMMARY:
[2-3 sentence summary of current state]
ACTIONS TAKEN SINCE LAST UPDATE:
- [Action 1]
- [Action 2]
NEXT STEPS:
- [Next action 1]
- [Next action 2]
ESTIMATED TIME TO NEXT UPDATE: [Time]
CONTACT: [IR Manager name and contact]
5. Communication Templates
Template A: Initial Internal Notification (SEV-1/SEV-2)
SUBJECT: [CONFIDENTIAL] Security Incident - [Incident ID] - Initial Notification
A security incident has been identified that requires immediate attention.
Incident ID: [IR-YYYY-###]
Severity: [Level]
Detection Time: [YYYY-MM-DD HH:MM TZ]
Affected Systems: [Brief description]
Current Status: [Investigation/Containment in progress]
The Incident Response Team has been activated. Please join [channel/bridge]
for coordination.
DO NOT discuss this incident outside of designated secure channels.
DO NOT forward this message.
IR Manager: [Name], [Contact]
Template B: Employee Notification (Post-Containment)
SUBJECT: Important Security Notice
[Organization Name] recently identified and responded to a security event
affecting [general description]. Our security team has contained the
situation and taken steps to prevent recurrence.
What happened: [Brief, factual description -- approved by legal]
What we are doing: [Actions taken to protect the organization]
What you should do: [Specific employee actions -- password reset, etc.]
If you notice any suspicious activity, please report it immediately to
[reporting channel].
We take the security of our systems and data seriously and will continue
to monitor the situation closely.
[Name]
[Title]
Template C: Regulatory Notification (adapt to specific regulation)
[To be drafted in consultation with legal counsel for each notification]
Key elements to include:
- Nature of the incident
- Date of discovery
- Types of information involved
- Number of individuals affected
- Steps taken to investigate and mitigate
- Steps individuals can take to protect themselves
- Contact information for questions
- Whether identity protection services are being offered
Principles
- All media inquiries are routed to [Communications Lead / PR Agency]
- No IRT member speaks to media without explicit authorization from [CEO/Legal]
- Prepare holding statements in advance for common scenarios
- Never speculate about attribution, scope, or impact
- Never disclose technical details that could aid other attackers
Holding Statement Template
[Organization Name] is aware of a cybersecurity incident and is working
with [internal security team / external cybersecurity experts / law enforcement]
to investigate and resolve the matter. The security of our [customers'/
employees'/partners'] information is our top priority. We will provide
updates as our investigation progresses.
For questions, please contact [Communications Lead] at [contact].
7. Post-Incident Communication
After the incident is resolved:
- Send final status update to all notified stakeholders
- Provide executive summary report to leadership
- Deliver post-incident review findings to IRT and relevant stakeholders
- Update employees on any permanent security changes
- Complete all required regulatory notifications
- File final report with cyber insurance carrier
Template provided by Petronella Technology Group. For incident response planning assistance, contact 919-348-4912.