A 7 step crisis communication plan checklist

Written by: RedGoat

Categorized: Cyber Resilience

Crisis communication planning checklist

The purpose of this crisis communication plan checklist is to allow you a quick and easy way to evaluate your existing cyber crisis communication plan and give you actionable ideas on how you can improve it.

In recent years we have seen the importance of having a well thought through comms plan when it comes to cyber attacks. Many organisations have made media worthy mistakes not in the technical response to the attack but in the communications they put out to the public. In our experience of helping organisations develop their plans and playbooks and then testing them in cyber crisis exercises, we often see communications being a key area to focus on. This includes having robust plans and playbooks, up to date stakeholder lists and also a process  to ensure that the CISO or security team and the comms teams work closely together, and not in silos.

Here are our seven step plan to help your organisation build a responsible and resilient comms plan for a cyber incident.

Is the crisis communication plan a formal document?

The first step is to formalise the information your teams likely already know well into one clear document and get it signed off. Keep it short and concise with clear actions and responsibilities. Resist the temptation to create a massive PDF covering every aspect of a cyber incident imaginable. In an incident the longer the document is, the less likely it will actually be used.

Does it describe types of incidents, escalation processes and next steps?

It is impossible to know exactly what cyber incident(s) we will face, if any, and exactly how they will end up playing out. However we can look at the threats we feel are the most likely or will have the highest impact should they manifest. This is where that all important collaboration needs to come in. The security team needs to outline these threats, how they usually play out, the impact on the important business services or critical data, and the length of time the organisation could face disruption. The majority of organisations include threats such as double extortion ransomware attacks, DDOS attacks and accidental data breaches.  

By doing this you can develop a crisis communication plan that is tailored to the individual threats or scenarios and this will save you critical time and bandwidth if any of these attacks were to happen.

Is there a formal process for dealing with media enquiries?

Big bang cyber events can quickly attract the attention of journalists. How you engage with the media and crucially the language you use can be critical. Make sure your crisis communication plan has a process for dealing with these media requests and that there are several individuals at executive level ideally that have received media training to enable them to do this.

Consider also including some internal messaging templates that can be disseminated reminding employees not to discuss the incident with anyone external, not to post or comment on social media and where they can direct anyone from the media who wishes to obtain a comment. Giving employees a pre-written line they can use will help them avoid slipping up. It is not about hiding what is happening, but controlling the narrative is a crucial part of handling a cyber incident and avoiding panic.

How will you reach the intended audience?

Getting the message right is one hurdle and then disseminating it is another. Consider in your crisis communication plan how you will reach each of the audiences you need to reach. You also need to think about the absolute worst case scenario when it comes to this. How would you reach employees, clients, investors, the public etc if you had no ability to place a holding message on your website or no access to email? Thinking through these worst case scenarios will mean you have alternative means already thought through should the worst happen. This could be just building a separate website that is kept offline unless needed in a crisis.

Social media can be a great way of reaching a large public audience but make sure that your accounts are appropriately secured so you can be sure you will have access to them. The login credentials need to be securely stored somewhere else too in case you lose all access to the network.

It is also important to ensure there is a point on your crisis communications checklist to suspend any scheduled posts you may have. It does not look at all good if in the middle of announcing that you may have just lost a lot of client data, your scheduled post offers a great deal if you sign up a friend.  

Are the key stakeholder contact details listed?

Having a table where you list all the key stakeholders, internal and external, that need to be contacted, with what frequency, how to contact them and who is responsible for contacting each of them will really help in a crisis. Many times I have observed that some senior member of staff have the names and numbers of the board members, but it they aren’t actually set out anywhere else so should that individual be unavailable in a crisis, the rest of the team wouldn’t have an easily available list of the people they urgently need to inform.

The other important stakeholder(s) in this table are regulators. You may have many spanning multiple jurisdictions each with they own deadlines for notifying them and their preferred way in which you update them. Have this on one central document and you will save yourself a lot of pain should an incident occur.

Has the crisis communication plan been tested in a cyber exercise?

Building incident response plans and playbooks is one thing but they need to be tested. All too often I see really detailed plans and then when we run the exercise it is discovered that, whilst detailed, they aren’t actually usable. The same goes for communications.

Run a cyber security incident simulation for your incident response teams and include some comms specific objectives to test. Every exercise generates some good suggestions for making your organisation more resilient and spotting gaps in the current setup.

Is the crisis communication plan stored securely and independently along with other related documents?

As with all other incident response plans for use in a cyber crisis, one simple way to increase organisational resilience is to make sure your plans are accessible and stored on a different network. If you have a designated “war room”, have a folder with (up to date) physical copies to have to hand in an emergency. Again, always think about the worst possible case, that way should you suddenly find you can’t access X, Y or Z anymore you have a plan B that allows the response to continue.


In our experience the organisations that handle an incident well have thought through, set up and planned for things beforehand. Having simple things like a list of regulators with the deadlines and contact details set out can save hours at a time when you don’t have hours to spend. You can free up a lot of time and bandwidth, both of which are in short supply in a crisis, by thinking these things through now.

Related Content

Key risk indicators in cyber security

Understanding key risk indicators (KRIs) in cybersecurity In the constantly evolving landscape of cybersecurity, key risk indicators (KRIs) play a crucial role in measuring and […]

Read more