GASP: AICF

Search controls

Search by control ID, name or domain

INC-010 External Contact and Communication Points

Tier 2+

Description

Up-to-date contact information is maintained for relevant regulatory authorities, law enforcement, national CERTs, cloud providers, and legal counsel. These contacts are accessible to the incident response team during an active incident. Contact lists are reviewed and verified at least annually.

Rationale

During an active incident, searching for regulator contact details wastes critical time. Pre-established, verified contact lists are an operational readiness requirement.

Framework Mappings (3)

CSA CCM v4.1
SEF-10Points of Contact Maintenancefull
NIST SP 800-53 Rev 5
IR-6Incident Reportingpartial
IR-7Incident Response Assistancepartial

Evidence (2)

recordmanual

Verified external contact list maintained by the incident response team, covering regulatory authorities, law enforcement, national CERTs, cloud providers, and legal counsel.

Example: IR External Contact Register (version-controlled, reviewed within the last 12 months) listing organisation name, contact name, phone, email, and relationship (e.g., supervisory authority, CERT-EU, AWS security contact, external legal counsel)

Test: Request the external contact list and the most recent verification record. Verify: (1) contacts cover at minimum: relevant DPA/supervisory authority, national CERT, primary cloud provider security contact, and external legal counsel; (2) contact details were verified (e.g., a test call or email confirmation) within the last 12 months; (3) the list is accessible to the IR team during an incident without requiring access to primary systems; (4) the last verification date is documented.

policymanual

Procedure for maintaining and verifying external contacts, defining the review frequency, verification method, and responsible owner.

Example: IRP section or standalone External Contact Maintenance Procedure (version-controlled) specifying which contact categories must be maintained, the annual verification process, and who is responsible for keeping the list current

Test: Request the external contact maintenance procedure. Verify: (1) the procedure defines which contact categories are required; (2) a verification method and frequency are specified (at least annual); (3) a named role is responsible for maintaining and verifying the list; (4) the procedure is referenced in the IRP.

Questions (2)

boolean

Is up-to-date contact information maintained for relevant regulatory authorities, law enforcement, national CERTs, cloud providers, and legal counsel, with contacts accessible to the IR team and verified at least annually?

The contact list must be accessible without requiring access to primary production systems — it should be stored out-of-band (e.g. printed copy, offline document, or separate communications platform).

multi

Which external contact categories are included in your maintained IR contact list?

Relevant data protection supervisory authority (e.g. ICO, CNIL)National or sector CERT (e.g. CERT-EU, NCSC)Primary cloud provider security contactExternal legal counsel with cyber incident experienceLaw enforcement contact (e.g. national cybercrime unit)Cyber insurance provider incident response hotlineExternal incident response retainer (e.g. DFIR firm)

Supervisory authority, national CERT, cloud provider security contact, and legal counsel are the minimum required categories. Insurance and DFIR retainer contacts are expected for mature IR programmes.