ISMS Compliance
CyFun BasicRespond

RS.CO-3: Information sharing

Information is shared consistent with response plans

RESPONDRS.CO-3

Requirement

Information/cybersecurity incident information shall be communicated and shared with the organisation's employees in a format that they can understand.

Our Implementation

Information sharing during and after security incidents is governed by the Incident Response Plan:

  • Regulatory notification: Data breaches affecting personal data are reported to the Belgian Data Protection Authority within 72 hours per GDPR requirements. CERT.be is notified for security incidents per Belgian regulatory framework
  • Customer notification: Affected customers are informed of incidents that impact their data, with details of the incident scope, impact, and remediation actions
  • Internal communication: The CTO communicates incident details to all staff members. For Critical incidents, the CEO is involved in stakeholder communication
  • Incident documentation: All incidents are documented in the incident log in a format accessible to all team members

Gaps / Planned improvements:

  • Communication procedures will be validated through planned tabletop exercises (NEX-359)
  • Pre-drafted notification templates for customers and regulators to be created (NEX-377)
  • External communication plan (media, partners) to be defined (NEX-377)

Evidence

Partially ImplementedL1 — Initial

RS.RP-1: Response plan execution

Response plan is executed during or after an incident

RS.IM-1: Lessons learned

Response plans incorporate lessons learned

On this page

RequirementOur ImplementationEvidence