GRCWatch
Sign inStart free trial

CIS Control 17.2: Establish and Maintain Contact Information for Reporting Security Incidents

When a security incident strikes, every second counts—and you need the right people contacted immediately. CIS Control 17.2 requires organizations to establish and maintain a comprehensive contact list for incident notification, from internal teams to law enforcement to cyber insurers. This control ensures you're never scrambling to find critical contacts when a breach occurs.

What this means

Control 17.2 mandates that you create and maintain an up-to-date contact registry for all parties who must be notified during a security incident. This includes internal staff (IT, management, legal), external vendors and service providers, law enforcement agencies, cyber insurance carriers, relevant government regulators, Information Sharing and Analysis Center (ISAC) partners, and other stakeholders specific to your industry or operations. The control requires annual verification of all contacts to ensure accuracy and availability.

How to comply

  1. 1.Create a centralized incident contact list identifying all internal and external parties who must be notified
  2. 2.Include contact names, titles, phone numbers, email addresses, and backup contacts for each party
  3. 3.Categorize contacts by notification priority (immediate, secondary, post-incident review)
  4. 4.Document contact roles and responsibilities during incident response
  5. 5.Establish a secure storage method for the contact list accessible only to authorized personnel
  6. 6.Schedule annual verification of all contacts to confirm accuracy and current information
  7. 7.Test the contact list during tabletop exercises or incident response drills
  8. 8.Update contacts whenever personnel changes, vendor relationships, or regulatory requirements change

Evidence auditors look for

  • Documented incident contact list with complete information for all parties
  • Contact verification log showing annual review and sign-off dates
  • Evidence of contact testing within incident response plan or security drills
  • Vendor agreements or MOUs referencing notification procedures and contacts
  • Insurance policy documents listing cyber insurance carrier incident notification requirements
  • Government agency contact information from regulatory compliance documentation
  • Backup contact designations for critical roles
  • Update logs showing changes to contacts with effective dates

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates annual contact verification workflows and stores encrypted incident contact directories that stay synchronized with your incident response procedures, eliminating manual spreadsheet management and ensuring your team never calls the wrong number during a breach.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 17.1 — Designate Roles and ResponsibilitiesCIS 17.3 — Establish Incident Response ProceduresCIS 17.4 — Provide Security Incident Response TrainingCIS 17.5 — Conduct Post-Incident Reviews