Reputation is repaired after an incident.

The organization develops and implements a crisis response strategy to protect the organization from the negative consequences and reputational damage of a crisis. This strategy should include predefined actions to manage public view, control the narrative, and mitigate the impact of the crisis on the organization.

The organization shall determine which issues related to the information security management system need to be communicated on a regular basis. The plan must include the answers, e.g. to the following points:

• What issues are communicated? These can be e.g. new or changed security objectives
• How and when to communicate?What channels are used and how often?
• To whom is communicated? How often for security executives, how often for the entire organization or partners.
• Who takes part? Who has the right to message and from whom, for example, messages should be approved.

Task owner will take care of the implementation of the plan and regular evaluation of its effectiveness.

The organization has an operating model for regular communication to the entire organization about the risk situation in information security and about new significant risks affecting the organization.

Information can be implemented, for example, as a collaboration between the information security core team and communication professionals.

The organization shall have procedures in place to communicate effectively with stakeholders and other participants during continuity plans and survival procedures.

Communication plans related to continuity plans shall include:

• Responsible persons, related stakeholders and other necessary contact information
• Clear criteria for the situation where continuity communication will be implemented
• A clear description of the staff implementing the continuity communication in each situation and the recipients to whom the communication will be sent
• References to the templates and tools to be used