Identify the key competencies and the people who have them

In addition to management and the Information Security Officer, you need to identify who inside or oustside of  your organisation will be implicated in case of an incident or breach.

Do not forget to include info from third parties (contact info, contract number,...), especially when using services in the cloud.

This typically will include members from:

  • Technical Resources (Server Administrators, Network and Security Engineers, Application Developers,...)
  • Physical Security/Facilities
  • Corporate Communications
  • Human Resources & Training
  • Legal & Compliance
  • Internal Audit
  • 3rd Party Service Providers & cloud contacts

For each of those, you should have

  • Contact Information (during and outside of business hours)
  • Contract Info
  • Service Level / Support agreements
  • Escalation Information