Home Compliance & Certification Crisis Communications Guide

Crisis Communications Guide

Last updated on Sep 25, 2025

1. Purpose of this Guide

This artefact demonstrates that your company has a plan for who communicates what, when, and to whom during a cyber incident. Cyber Essentials requires this because confusion and silence during a crisis cause as much damage as the incident itself. A documented timeline and comms plan ensures staff, management, regulators, and customers get the right message at the right time.

2. What You Will Submit

You will need:

  • Crisis Communications and Timeline document (Word, PDF, or spreadsheet).

  • It should include:

    • Key contacts (Incident Lead, Comms Lead, CEO, Legal, IT).

    • Communication channels (email, phone, Teams/Slack, press release).

    • Escalation steps (who is told first, who is told next).

    • Incident timeline template (time of detection, first comms, regulator notification, customer updates).

3. How to Collect / Obtain / Generate This Evidence

  • If starting from scratch:

    1. Use StrongKeep's Crisis Communications Template (in the Incident Response Plan).

    2. Fill in:

      • Roles: e.g. CEO (public spokesperson), Comms Lead (drafts announcements), IT Manager (technical updates), Secretary (logs comms).

      • Timeline markers: Detection → Internal staff alert → Executive team alert → Regulator notified → Customer notification → Post-incident briefing.

      • Message library: Draft templates for “Initial Detection,” “Containment in Progress,” “Resolution,” and “Follow-up.”

    3. Save the file with version history and circulate to management.

  • If you already have an existing Incident Response Plan (IRP):

    • Extract or reference the communications and timeline section into a standalone document.

    • Ensure roles and contacts are current.

4. Evidence Format

  • Accepted file types: DOCX, PDF, XLSX.

  • Suggested naming format:
    YourCompanyName_CrisisCommsTimeline_YYYY-MM-DD.pdf

5. What “Good” Looks Like

  • Clear roles and responsibilities (no confusion about who speaks).

  • Defined timeline with escalation points.

  • Message templates prepared in advance (not written in panic).

  • Version control showing the plan is updated regularly.

Why it matters: auditors want to see that communication is not improvised but structured, fast, and compliant with notification obligations.

6. Tips

  • Review at least annually and after real incidents.

  • Test it in tabletop exercises with your Cyber Incident Response Plan.

  • Keep regulator and customer comms separate — audiences need different levels of detail.