Incident Response Communication Guide | Help Center

1. Purpose of This Guide

When a cyber incident strikes, your staff shouldn’t be running around like startled chickens. Everyone with IT access must know what to do, who to call, and how to report an incident.

This artefact shows auditors that:

Your organisation has communicated the Incident Response Plan (IRP) to all relevant employees.
Staff know where to find the plan,
And you have proof that the communication actually happened.

This is less about fancy technology and more about good housekeeping: “We told everyone what to do, and here’s the evidence.”

2. What You Will Submit

You may submit any one of the following (or multiple, if available):

Screenshot of an email sent by the IT manager to all staff with IT access, containing:
- The Incident Response Plan
- A link to the shared location where the plan lives
- A short summary of what staff should do in case of an incident
Screenshot of a shared folder (Google Drive, SharePoint, file server, etc.)
- Showing the IRP document
- Showing that all staff have access
Photo of a physical poster or notice
- Displayed in a common workspace or operations area
- Showing key steps and IR contact information
Screenshot from your intranet page or StrongKeep Staff Portal
- Showing IRP instructions published to staff
- Or showing that the IRP acknowledgement is part of onboarding

Any method works as long as it clearly demonstrates staff awareness.

3. How to Collect / Obtain / Generate This Evidence

Below are the most common (and auditor-friendly) ways:

Option A — Email Announcement (Most Common)

IT Manager drafts an email to all employees with IT access.
Attach or link the Incident Response Plan.
Include key instructions (e.g., who to call, how to report incidents).
Send the email.
Take a screenshot of:
- The sent email
- The recipient list (or “all staff” group name)
- The message body

This is the cleanest evidence because it shows deliberate communication.

Option B — Shared Folder Screenshot

If your IRP lives in a cloud folder:

Google Drive

Open the folder
Show file name (e.g., Incident Response Plan.pdf)
Click “Share” → screenshot the permissions (“Anyone in the organisation can view”)

SharePoint / OneDrive

Open the document library
Show file visibility
Screenshot the “Manage Access” panel

This proves staff can access the plan.

Option C — Physical Poster Evidence

Place IR response instructions in a visible staff area.
Take a clear photo showing:
- The poster content
- The surrounding environment (to prove it’s a real location)

This is common in clinics, retail shops, warehouses, and environments where staff don’t regularly check email.

Option D — Intranet / Staff Page Announcement

If the plan was published to internal staff-accessible platforms like an intranet:

Open the announcement/post
Ensure the title + IRP link are visible
Screenshot the page

4. Evidence Format

Accepted File Types:

Suggested Naming Format:
YourCompanyName_IncidentResponseCommunication_YYYY-MM-DD

Example:
AcmeClinic_IRP_StaffCommunication_2025-02-01.png

5. What “Good” Looks Like

A strong piece of evidence should:

Show that ALL relevant staff were reached
(email group name, distribution list, or folder permissions)
Clearly display the Incident Response Plan or link to it
The auditor must see the IRP is accessible.
Include context
e.g., timestamp, sender name, platform used.
Show explicit communication
“Please review our Incident Response Plan and follow these steps if you detect a cyber incident…”
Be readable and unambiguous
Avoid screenshots of cropped emails with missing headers.

Why this matters:
Auditors don’t just want a plan. They want proof your staff actually know about it — because during an incident, silence is the enemy.

6. Tips

You may redact sensitive staff emails.
Keep the group name visible (e.g., All Staff, Clinic Team, Retail Floor Staff).
Make this a recurring communication.
Sharing the IRP annually (or after any updates) strengthens your compliance posture.