The organization has an operating model for regular communication to the entire organization about the risk situation in information security and about new significant risks affecting the organization.
Information can be implemented, for example, as a collaboration between the information security core team and communication professionals.
The organization shall determine which issues related to the information security management system need to be communicated on a regular basis. The plan must include the answers, e.g. to the following points:
Task owner will take care of the implementation of the plan and regular evaluation of its effectiveness.
The organization develops and implements a crisis response strategy to protect the organization from the negative consequences and reputational damage of a crisis. This strategy should include predefined actions to manage public view, control the narrative, and mitigate the impact of the crisis on the organization.
The organization shall have procedures in place to communicate effectively with stakeholders and other participants during continuity plans and survival procedures.
Communication plans related to continuity plans shall include: