Search
Updated on January 24, 2024

BIZOPS-32 Breach Notification

Estimated reading: 2 minutes 1158 views

What is BIZOPS-32 Breach Notification control?

A Breach Notification control is about having a process for notifying customers, the media, and relevant parties following a breach of information in a timely manner. This is a good practice for any organization. The process should involve:

  • Appropriate identification of breaches
  • Identification of the affected parties to notify
  • A process to send notifications in writing via first-class mail or email
  • A process to ensure the notification is sent without delay, no later than 60 days

Available tools in the marketplace 

Tools
No tool recommendation is made for this section

Available templates

TrustCloud has a curated list of templates, internally or externally sourced,to help you get started. Click on the link for a downloadable version:

Control implementation

To implement this control, 

  • A process needs to be documented to guide personnel in the assessment of a breach. The process can be included in your existing security incident management policy and must include the following sections:
    • Breach risk assessment: This section should address the process of determining that a breach has occurred.
    • Affected individuals: This section should address how to identify the affected individuals
    • Notification timeline: This section should address when and how to notify the affected individuals
      You can refer to the templates provided above.
  • You need to assign designated personnel responsible for notifying affected individuals.
  • You need to create a template to track breaches and notify affected individuals.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

  1. A documented breach notification procedure
  2. Breach reporting template or form used to track breaches and notifications (if no breaches have occurred) and breach notification letter for a recent breach

Evidence example

For the suggested action, an example is provided below:

  1. A documented breach notification procedure
  2. A breach report form is used to track breaches and notifications.
    Link to a breach notification assessment example or a recent breach notification form.The following screenshot shows the breach notification letter.
    BIZOPS 32 Breach Notification

Join the conversation

ON THIS PAGE
SHARE THIS PAGE

SUBSCRIBE
FlightSchool
Trusty

Want to see how to turn GRC into a profit center?

Ready to save time and money on audits, pass security reviews faster, and manage enterprise-wide risk? Let’s talk! 

Learn More
TrustCommunity

The #1 Community for Security, Privacy, and GRC Professionals.

© 2024 TrustCloud Corporation. All rights reserved.
TrustCloud® and TrustOps® are registered trademarks of TrustCloud Corporation.

Facebook Linkedin Youtube Rss

Resources

Platform

TOPICS

ABOUT US

AICPA
Monitored by TrustCloud

💛 Joyfully Crafted to Elevate GRC Leaders into Trust Champions.

OR