BIZOPS-32 Breach Notification

Estimated reading: 2 minutes 1274 views

What is BIZOPS-32 Breach Notification control?

A Breach Notification control is about having a process for notifying customers, the media, and relevant parties following a breach of information in a timely manner. This is a good practice for any organization. The process should involve:

  • Appropriate identification of breaches
  • Identification of the affected parties to notify
  • A process to send notifications in writing via first-class mail or email
  • A process to ensure the notification is sent without delay, no later than 60 days

Available tools in the marketplace 

No tool recommendation is made for this section

Available templates

TrustCloud has a curated list of templates, internally or externally sourced,to help you get started. Click on the link for a downloadable version:

Control implementation

To implement this control, 

  • A process needs to be documented to guide personnel in the assessment of a breach. The process can be included in your existing security incident management policy and must include the following sections:
    • Breach risk assessment: This section should address the process of determining that a breach has occurred.
    • Affected individuals: This section should address how to identify the affected individuals
    • Notification timeline: This section should address when and how to notify the affected individuals
      You can refer to the templates provided above.
  • You need to assign designated personnel responsible for notifying affected individuals.
  • You need to create a template to track breaches and notify affected individuals.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

  1. A documented breach notification procedure
  2. Breach reporting template or form used to track breaches and notifications (if no breaches have occurred) and breach notification letter for a recent breach

Evidence example

For the suggested action, an example is provided below:

  1. A documented breach notification procedure
  2. A breach report form is used to track breaches and notifications.
    Link to a breach notification assessment example or a recent breach notification form.The following screenshot shows the breach notification letter.
    BIZOPS 32 Breach Notification

Join the conversation