Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

03) Does your Incident Response Plan include consideration of legal and regulatory commitments?

January 30, 2023
Business Resilience
Incident Response Plan

Answer yes if your organisation's Incident Response Plan contains an assessment of impact to legal and regulatory compliance. Please reference the section of any previously provided plan in the notes.

An incident response plan is a crucial document that outlines the operational steps that must be taken when an unexpected or disruptive event occurs. The plan can be invoked for both security and non-security incidents and should be an organic and operational document used to restore service and coordinate a response.

Categorisation and severity assessment of the incident should consider legal and regulatory commitments. For example:

  • If the incident involves suspected disclosure of confidential data then the reuirements for controlled, formal disclosure reporting and management should be considered as directed by local data protection regulation or legislation (e.g. the General Data Protection Regulation).
  • If the incident involves disruption of services provided to a client under contract then the terms of that contract (for example service level agreements and associated penalty thresholds, recovery time objectives or recovery point objectives, etc.) should be considered.
  • If the incident is experienced by Digital Services Providers (subject to UK and EU Network and Information Systems (NIS) regulation) and public communications service providers (subject to UK and EU Privacy and Electronic Communications Regulation (PECR) legislation), these organisations have additional reporting and accountability to regulators that need to be factored into incident response legal counsel and communications resourcing.
  • If an incident is triggered by fraud or theft detection indicators then the legal requirements for evidence preservation and forensic capabilities should be considered as part of the severity assessment and response controls.

These are just example legal and regulatory considerations. The specific considerations required will depend on the nature of the incident and the legal and regulatory commitments relevant to your organisation, which will vary by organisation type, size and jurisdiction.

How to implement the control

Ensure your plan has a method for considering the legal and regulatory aspects of any incidents that cause the plan to be invoked. It can help to have legal counsel and data protection advisors review your company's plan.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.