Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27035-4:2020 — Incident Management — Coordination
Coordination frameworks for multi-team and cross-organizational incident management
In complex incidents — particularly those affecting multiple business
units, multiple organizations, or critical national infrastructure —
effective coordination is as important as technical response capability.
ISO/IEC 27035-4:2020 provides the framework for coordinating incident
management activities across internal teams, external organizations,
regulatory bodies, and other stakeholders.
The 2020 edition reflects lessons learned from large-scale incidents
involving supply chain compromises, cross-border data breaches, and
coordinated ransomware campaigns where effective coordination directly
determined the outcome of the incident response effort.
involving supply chain compromises, cross-border data breaches, and
coordinated ransomware campaigns where effective coordination directly
determined the outcome of the incident response effort.
The Role of Coordination in Multi-Team Incidents
Modern incidents rarely respect organizational or jurisdictional
boundaries. A single data breach may involve IT operations, legal,
compliance, communications, human resources, physical security, and
external partners. ISO/IEC 27035-4 defines coordination as the structured
management of interdependencies between these entities to achieve a
unified, effective response. The standard identifies three coordination
dimensions: vertical (within the organization, from
technical teams to executive leadership), horizontal
(across different functions within the organization), and
external (with customers, suppliers, regulators, law
enforcement, and sector-specific bodies).
The standard recommends establishing a Coordination Center
or incident command structure for large-scale incidents. This center serves
as the central point for information fusion, decision-making, resource
allocation, and stakeholder communication. Clear role definitions — who
has decision authority, who is responsible for specific coordination
activities, and how handoffs between teams occur — are essential to avoid
confusion and duplicated effort during high-pressure situations.
| Coordination Dimension | Stakeholders | Key Coordination Activities |
|---|---|---|
| Vertical | Executives, board, management, technical teams | Situation reporting, resource approval, strategic decisions |
| Horizontal | IT, legal, HR, PR, compliance, physical security | Cross-functional impact assessment, joint decision-making |
| External | Customers, regulators, law enforcement, suppliers | Regulatory notifications, information sharing, joint response |
Organizations with mature coordination capabilities contain major incidents
40% faster and incur 30% lower total incident costs, according to the
Ponemon Institute’s Cost of a Data Breach studies.
40% faster and incur 30% lower total incident costs, according to the
Ponemon Institute’s Cost of a Data Breach studies.
Communication Protocols and Information Sharing
Information is the lifeblood of coordinated incident response. The
standard provides detailed guidance on establishing communication protocols
that ensure the right information reaches the right people at the right time.
Key elements include: classification of information (who
needs to know what), communication channels (primary and
backup, with consideration for security and availability during incidents),
communication templates (pre-approved notification formats
for different audiences), and escalation triggers (specific
conditions that require broader communication).
The standard also addresses information sharing with external entities.
Trusted information-sharing communities — such as ISACs (Information Sharing
and Analysis Centers), sector-specific CERTs/CSIRTs, and law enforcement
liaison programs — play a vital role in improving collective defense.
ISO/IEC 27035-4 recommends that organizations establish information-sharing
relationships before incidents occur, including legal agreements (NDAs,
information-sharing MOUs), technical interfaces (secure sharing platforms),
and operational protocols (TLP markings, handling caveats).
One of the most frequent coordination failures is communication blackout
during incidents caused by reliance on a single channel (e.g., email during
a DDoS attack). The standard mandates the use of diverse, resilient
communication channels with regular testing.
during incidents caused by reliance on a single channel (e.g., email during
a DDoS attack). The standard mandates the use of diverse, resilient
communication channels with regular testing.
Coordination with External Stakeholders
External coordination extends beyond incident notification to include
active collaboration during response. The standard provides guidance on
coordinating with: law enforcement (preserving evidence
for prosecution, understanding jurisdictional requirements, managing
public disclosure), regulatory bodies (meeting breach
notification timelines, providing required information), affected
customers and partners (transparent communication, remediation
support), and suppliers and service providers (activating
incident response provisions in contracts, coordinating joint response
activities).
A critical element emphasized in the standard is the need for
pre-established relationships. Attempting to establish
coordination protocols during an active incident is far less effective
than having pre-existing agreements, contact lists, and tested procedures.
The standard recommends that organizations maintain an up-to-date directory
of key external contacts, including alternates, with regular verification
of contact information and coordination procedures.
Frequently Asked Questions
Q: How does coordination differ in cross-border incidents?
A: Cross-border incidents involve additional complexity: multiple regulatory
regimes with potentially conflicting notification timelines, language and
cultural barriers, time zone challenges, and varying law enforcement
jurisdictions. The standard recommends engaging legal counsel with
multi-jurisdictional expertise and establishing coordination protocols
for each region where the organization operates.
A: Cross-border incidents involve additional complexity: multiple regulatory
regimes with potentially conflicting notification timelines, language and
cultural barriers, time zone challenges, and varying law enforcement
jurisdictions. The standard recommends engaging legal counsel with
multi-jurisdictional expertise and establishing coordination protocols
for each region where the organization operates.
Q: What is the relationship between ISO 27035-4 and the NIST incident response framework?
A: Both frameworks share common coordination concepts. ISO/IEC 27035-4
provides more detailed guidance on coordination-specific aspects, while
NIST SP 800-61 focuses more on technical response procedures. Organizations
commonly use both in a complementary manner, with ISO/IEC 27035-4 informing
the coordination layer and NIST guiding technical operations.
A: Both frameworks share common coordination concepts. ISO/IEC 27035-4
provides more detailed guidance on coordination-specific aspects, while
NIST SP 800-61 focuses more on technical response procedures. Organizations
commonly use both in a complementary manner, with ISO/IEC 27035-4 informing
the coordination layer and NIST guiding technical operations.
Q: How should coordination be handled during a communications infrastructure failure?
A: The standard requires planning for communication channel failures.
Organizations should maintain out-of-band communication methods (e.g.,
satellite phones, alternate messaging platforms, physical meeting locations)
and test them regularly. Pre-defined rendezvous procedures and decision
authority delegation ensure continuity when normal communications are
unavailable.
A: The standard requires planning for communication channel failures.
Organizations should maintain out-of-band communication methods (e.g.,
satellite phones, alternate messaging platforms, physical meeting locations)
and test them regularly. Pre-defined rendezvous procedures and decision
authority delegation ensure continuity when normal communications are
unavailable.
Q: What metrics measure coordination effectiveness?
A: Key coordination metrics include: time to establish coordinated response,
information sharing latency between teams, number of coordination gaps
identified during post-incident review, stakeholder satisfaction with
communication quality, and compliance with regulatory notification
timelines. These should be tracked and reported as part of the incident
management performance dashboard.
A: Key coordination metrics include: time to establish coordinated response,
information sharing latency between teams, number of coordination gaps
identified during post-incident review, stakeholder satisfaction with
communication quality, and compliance with regulatory notification
timelines. These should be tracked and reported as part of the incident
management performance dashboard.
