psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5eade2d99bef262cef5be6d01dc0bbbc9119b82e
ISMS/03-procedures/breach-notification-procedure.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.9 KiB
Raw Blame History

Title: Breach Notification Procedure Document ID: [PROC-BREACH-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Breach Notification Procedure

Purpose

This procedure defines how BlackDice should assess and manage notification obligations arising from suspected or confirmed personal data breaches or other reportable security incidents.

Scope

This procedure applies to incidents that may trigger legal, regulatory, contractual, customer, or other formal notification obligations.

Trigger / When Used

Use this procedure when:

  • an incident may involve personal data compromise
  • contractual notification requirements may apply
  • customer-owned or supplier-shared information may be affected
  • there is uncertainty about whether notification obligations exist

Procedure Steps

  1. Receive escalation from incident handling or another authorised source.
  2. Confirm the nature of the incident, the information involved, and the affected parties or environments.
  3. Assess whether legal, regulatory, contractual, customer, or supplier notification obligations may apply.
  4. Identify relevant deadlines, approval requirements, and required content for notification.
  5. Coordinate internal review with appropriate stakeholders, including security, privacy, legal, management, and customer-facing roles as needed.
  6. Prepare and issue notification through the approved channel where notification is required.
  7. Record the decision, rationale, timing, recipients, and any follow-up obligations.
  8. Update the underlying incident record and track resulting actions to completion.

Inputs

  • incident details and severity assessment
  • affected data or service information
  • contractual and regulatory obligations
  • stakeholder review input

Outputs / Records

  • notification decision record
  • issued notification or documented no-notification rationale
  • approval evidence
  • follow-up action record

Roles and Responsibilities

  • [Role] must coordinate notification assessment and execution.
  • Incident handlers must escalate potentially notifiable incidents promptly.
  • Relevant stakeholders must review obligations and approve content where required.

Escalation / Exceptions

Escalate immediately where:

  • notification deadlines may be at risk
  • facts are incomplete but harm may be ongoing
  • a customer or regulator has already made contact
  • multiple jurisdictions or conflicting obligations may apply

This procedure must not be interpreted as legal advice. Legal review should be obtained where appropriate.

Related Documents

  • Incident Response Policy
  • Security Incident Handling Procedure
  • Privacy and Data Protection Policy
  • Information Transfer Policy

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink