GRCWatch
Sign inStart free trial

CIS Control 17.6: Define Mechanisms for Communicating During Incident Response

When a security incident strikes, communication delays can multiply damage. CIS Control 17.6 requires you to establish and maintain dedicated communication channels that remain operational even when systems are compromised. This control ensures your incident response team can coordinate effectively when it matters most.

What this means

You must identify and document which communication methods your organization will use to report and coordinate during a security incident. Primary mechanisms might include dedicated phone lines or out-of-band communication channels, while secondary options provide backup when primary channels fail. Email and digital systems are vulnerable during incidents, so your plan should account for alternative methods. This isn't a one-time exercise—you need to review and test these mechanisms annually to ensure they remain reliable and that all stakeholders know how to use them.

How to comply

  1. 1.Identify all primary communication mechanisms (dedicated hotlines, secure conference lines, in-person meeting locations)
  2. 2.Establish secondary communication methods that function independently from potentially compromised systems
  3. 3.Document contact lists with roles, names, phone numbers, and backup contact information
  4. 4.Exclude email as a primary mechanism due to potential compromise during incidents
  5. 5.Define escalation procedures and decision-making chains for different incident severity levels
  6. 6.Test communication channels quarterly to verify functionality and team awareness
  7. 7.Review the entire communication plan annually and update contact information
  8. 8.Train all incident response team members on activation procedures and their specific roles

Evidence auditors look for

  • Documented incident response communication plan with primary and secondary mechanisms clearly defined
  • Contact roster with current phone numbers, roles, and escalation paths
  • Evidence of annual review with dated sign-off from leadership
  • Test results from communication drills conducted within the past 12 months
  • Out-of-band communication setup (dedicated phone lines, physical meeting locations)
  • Backup communication procedures for scenarios where email and primary systems are unavailable
  • Training records showing incident response team understands communication activation procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch maintains your incident communication directory with automated contact verification, tracks communication plan reviews and tests, and flags when annual reviews are due—eliminating missed compliance deadlines.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 17.1 — Establish and Maintain an Incident Response ProcessCIS Control 17.2 — Establish and Maintain Contact Information for Reporting Security IncidentsCIS Control 17.3 — Establish and Maintain an Incident Handling Process for Recurring IncidentsCIS Control 17.4 — Establish and Maintain an Incident Handling Process for Zero-Day VulnerabilitiesCIS Control 17.5 — Conduct Routine Cyber Security Incident Simulation Exercises