If stakeholders don't know about a security incident quickly and clearly, several expensive things happen: customers lose trust and switch to competitors, regulators like MeitY or your state's data protection officer may fine you for late notification, your insurance claim gets rejected because you missed reporting deadlines, and staff panic and spread rumours that damage your brand more than the actual incident. For example, a Delhi IT services firm lost ₹2.5 crore in client contracts after a ransomware attack because clients weren't told within 72 hours and found out from their own security scans instead.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no incident communication plan at all. When something breaks, people find out by accident or by noticing problems themselves, and nobody is responsible for telling anyone anything.
Initial
You have a basic list of phone numbers and email addresses (WhatsApp group, contact list) of people to call during an incident, but there is no written plan for what to say or when to say it.
Developing
You have a written incident communication checklist that lists who to notify (management, customers, regulators) and when, but it is not regularly tested or updated. Instructions exist but may not match your actual business structure.
Defined
You have a documented incident response communication plan with clear roles, templates for different incident types, and notification timelines. You have tested it at least once in the past year and updated it based on what you learned.
Managed
Your communication plan is integrated into your overall incident response process, tested every 6 months, regularly reviewed and updated, includes escalation paths, and all staff know their role in it. You track whether notifications were actually sent and when.
Optimised
Communication planning is part of your continuous security culture. You test scenarios quarterly with simulated incidents, stakeholders provide feedback, plan is updated based on lessons learned, and your notification process is monitored for timeliness and accuracy. You conduct post-incident reviews specifically on whether communication was effective.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple contact list document with names, roles, phone numbers, and email addresses of all people who must be contacted during an incident (MD, CFO, legal, key customers, bank, insurance company, police contact). Share via WhatsApp or email to all senior staff. | Business owner or IT manager | 1 day |
| 1 → 2 | Write a one-page incident communication checklist in Hindi and English listing: (1) who to call first (MD/owner), (2) who to notify within 24 hours (regulators, affected customers), (3) who to notify within 72 hours (all customers, insurance), (4) what information to collect before calling anyone. Print and post near the server room and in office. | IT manager with CFO or business owner input | 3-5 days |
| 2 → 3 | Create a formal incident response communication plan document (2-3 pages) with: incident categories (data breach, ransomware, outage), who needs what information, message templates, notification timelines aligned with DPDP Act (72 hours for breaches), escalation rules, and contact matrix. Get CFO and legal advisor (even if external) to review and sign off. | IT manager with CFO and external legal advisor | 2-3 weeks |
| 3 → 4 | Run a full tabletop incident simulation (2 hours) where staff act out a data breach scenario, test the communication plan in real-time, document what worked and what didn't, update the plan based on findings. Do this at least once in 6 months. Create a log of all simulation tests. | IT manager to run; all senior staff to participate | 1-2 months (including preparation and follow-up) |
| 4 → 5 | Implement automated notification tracking: use a simple spreadsheet or tool to record (a) when incident was detected, (b) who was notified and at what time, (c) confirmation of receipt, (d) what message was sent. Review quarterly in security meetings. Conduct annual external stakeholder feedback survey on whether communication was clear and timely. | IT manager (ongoing) with quarterly business owner review | Ongoing (setup 1 week, then 2-4 hours per incident) |
Documents and records that prove your maturity level.
- Written Incident Response Communication Plan document (dated and signed by owner/MD and reviewed by legal)
- Contact matrix or emergency contact list with names, roles, phone, email, and notification sequence (marked as confidential)
- Message templates for different incident types (data breach, ransomware, service outage, insider threat) in English and local language
- Log or register of past incidents showing: date/time detected, date/time stakeholders were notified, who was notified, confirmation receipts, and summary of communication sent
- Records of incident communication simulation tests or drills (date, participants, scenario, findings, plan updates made)
Prepare for these questions from customers or third-party reviewers.
- "Walk me through exactly what happens in the first 30 minutes after you discover a security incident. Who do you call first, and what do you tell them?"
- "Show me your incident communication plan. How do you ensure that regulators are notified within the required 72 hours for a data breach?"
- "Can you show me an example of an incident where you actually notified stakeholders? What was the incident, when did you find out, and when did you tell your customers and regulators?"
- "How do you make sure that all employees know their role in communicating an incident? How have you tested this plan in the past 12 months?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Send incident notifications automatically to multiple stakeholders at once (SMS, email, WhatsApp) | Google Forms + Sheets (manual but free); Telegram bot groups (free but basic) | Twilio (SMS + WhatsApp alerts, ₹500-2000/month); AlertOps (₹30,000+/year) |
| Track and log who was notified, when, and confirmation of receipt during an incident | Google Sheets with timestamps; Microsoft Teams message history | PagerDuty incident log feature (₹50,000+/year); Splunk (₹100,000+/year) |
| Simulate and test incident response communication with staff in a controlled scenario | Microsoft Teams or Google Meet for tabletop exercise; manual role-play setup | SANS Cyber Aces simulation (free); Incident simulation services from consultants (₹1-5 lakhs per session) |
- Only the IT person knows the incident communication plan, so if they are sick or unavailable during an incident, nobody knows what to do and communication falls apart. Always ensure at least 2-3 people (IT manager, CFO, ops manager) know the plan and keep updated copies.
- Using only WhatsApp groups or email for critical incident notifications, which can be lost, ignored, or misunderstood. Always follow up verbal/text notifications with formal written records (email to senior staff with CC to external parties) and get read receipts.
- Waiting too long to notify regulators and customers because management wants more information first, then missing the 72-hour DPDP Act deadline. Start notification clock from when incident is *discovered*, not when it is fully understood, and send an initial notice even if details are incomplete, followed by updates.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 4(12) (notification of personal data breach to affected individuals and Authority within 72 hours) and Section 4(9) (responsible AI practices including transparency) |
| CERT-In 2022 | Direction 4 (incident reporting to CERT-In within 6 hours for critical infrastructure; communication with affected users required) |
| ISO 27001:2022 | Annex A.17.1 (communication in response to information security incidents) and Clause 6.1.3 (risk treatment) |
| NIST CSF 2.0 | RS (Respond) - RS.CO-2 (incident details are communicated to internal and external stakeholders) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →