Crisis communications management

Crisis communications fails in predictable ways: no one is sure who is authorized to speak, messages conflict across channels, legal review becomes a bottleneck, or the contact list is outdated. ISO 22301’s focus is operational: during a disruption, you need a reliable way to coordinate communications across internal teams (executives, operations, IT, security, HR, customer support) and external stakeholders (customers, regulators, critical third parties, media, and the public, depending on your business). ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path is to convert “coordinate communications” into a small set of controlled artifacts and repeatable steps: a crisis communications plan, a RACI that names decision-makers, a channel strategy (including backups), pre-approved templates, and a maintenance/testing cadence. You are building two things at once: (1) operational readiness under stress, and (2) audit-ready evidence that the process is designed, implemented, and kept current.

This page gives requirement-level implementation guidance you can execute immediately, including step-by-step build instructions, artifacts to retain, audit questions you will get, and common failure modes that create avoidable risk.

Requirement: crisis communications management requirement (ISO 22301)

Plain-English interpretation: You must be able to coordinate internal and external communications during disruptions so stakeholders receive accurate, consistent, and authorized information through planned channels. This includes assigning communication roles, preparing message content in advance, maintaining stakeholder contact details, and exercising the process so it works under pressure. ¹

Who it applies to

This requirement applies broadly to organizations implementing a business continuity management system (BCMS), especially:

• Critical service operators: organizations whose service disruption could materially impact customers, safety, or the economy (for example, payment processing, healthcare operations, critical SaaS infrastructure). ¹
• Service organizations: companies providing services to other entities, including those with contractual notification obligations to customers and third parties. ¹

Operationally, it applies when you have any of the following:

• Customer-facing services with uptime, incident notification, or service restoration expectations
• Regulated operations where supervisory/regulatory communications may be required
• Material dependencies on third parties (cloud, telecom, outsourced operations) where coordinated statements prevent contradictory messaging
• Brand/reputation risk where public statements, social posts, or press inquiries can outpace internal facts

Regulatory text

Provided excerpt (framework summary): “Baseline implementation-intent summary derived from publicly available framework overviews; licensed standard text is not reproduced in this record.” ¹

Operator meaning (what you must do): ISO 22301 expects you to coordinate internal and external communications during disruptions. In practice, an auditor will look for:

• Defined communication roles and authorities (who can approve and who can speak)
• Communication procedures tied to incident/crisis escalation
• Prepared communication content (templates, holding statements)
• Maintained stakeholder contact lists and channel plans
• Evidence the process is kept current and exercised ¹

What you actually need to do (step-by-step)

1) Define scope and trigger points (make it executable)

Write down the events that activate crisis communications. Keep it operational, not theoretical. Examples:

• Major service outage
• Cybersecurity incident with potential customer impact
• Physical site disruption affecting operations
• Third-party outage that disrupts your critical service

Output: “Crisis Communications Activation Criteria” section in the plan.

2) Assign roles, authorities, and alternates (RACI that works at 2 a.m.)

Create a RACI that covers at least:

• Crisis Communications Lead (often comms/PR or incident manager)
• Executive sponsor (final authority for high-impact statements)
• Legal reviewer (approval for externally facing statements)
• Security/IT/Operations SME (fact validation)
• Customer Support leader (inbound scripting and updates)
• HR (employee comms)
• Third-party manager (communications to/from key third parties)

Add named alternates so approvals do not stall when someone is unavailable.

Output: Crisis communications RACI + “authorized spokesperson” list.

3) Build a channel strategy, including degraded-mode communications

List your approved channels and a backup for each. Plan for failure of normal tools (email outage, chat outage, corporate website down). Typical channel categories:

• Internal: email, chat, SMS, phone bridge, intranet
• External: status page, customer email, support portal, direct account outreach, regulator mailbox, press inbox

Define who posts where and how you prevent conflicting updates (one coordinator owns the “single source of truth” update).

Output: Channel matrix with primary/backup channels and owners.

4) Pre-write templates that reduce legal/PR bottlenecks

Maintain templates for:

• Initial holding statement (acknowledge issue, commit to updates)
• Customer impact notification (what’s affected, workaround, where to get updates)
• Internal employee update (what to say externally, where to direct inquiries)
• Third-party coordination request (facts needed, timelines, joint statement rules)
• Resolution notice + follow-up (restoration confirmation, next steps)

Make templates modular: fill in impacted services, start time, current status, next update time, and support contacts. Keep claims conservative; avoid root-cause assertions until validated.

Output: Approved template library + guidance notes on when to use each.

5) Establish an approvals workflow that balances speed and control

Document:

• What requires legal review vs. what can be published under pre-approval
• Approval method if primary systems are down (phone approval with documented notes)
• Time-boxed approval expectations during active incidents (set internal targets as policy)

Output: Approval workflow (diagram or numbered procedure) with escalation path.

6) Build and maintain stakeholder contact lists (internal and external)

Maintain current contacts for: executives, incident response, comms, legal, HR, customer support, critical suppliers, key customers, and any regulators relevant to your business model. Include after-hours details if you keep an on-call model.

Control the list as a governed record: owner, update procedure, and periodic validation.

Output: Controlled contact list + change log.

7) Train and exercise the plan (prove it works)

Run scenario-based exercises where comms must be drafted, approved, and issued under time pressure. Test:

• Conflicting facts from different teams
• Third-party-caused outage where you lack full visibility
• Social media rumor or press inquiry before you have root cause
• Internal leak risk (employees posting publicly)

Capture lessons learned and update templates, RACI, and contact lists.

Output: Exercise records, after-action notes, and tracked improvements. ¹

Required evidence and artifacts to retain

Auditors want to see both design and operation. Keep:

• Crisis communications plan/procedure (version-controlled)
• RACI and authorized spokesperson list (with alternates)
• Channel matrix (primary and backup)
• Template library (with approval status and last review date)
• Stakeholder contact lists (with owner and update/change log)
• Training completion records for key roles
• Exercise/tabletop documentation: scenario, participants, communications issued, after-action review, remediation tracking
• Incident samples: redacted comms approvals, issued notices, timestamps, status page updates, customer scripts
• Evidence of periodic review (meeting minutes, review sign-offs)

If you manage this in Daydream, store artifacts as mapped control evidence, link incidents/exercises to the requirement, and track review tasks so you can demonstrate continuous operation without rebuilding the story for each audit.

Common exam/audit questions and hangups

Expect questions like:

• “Who is authorized to communicate externally during a crisis, and where is it documented?”
• “Show how you ensure messages are consistent across support, status page, and account teams.”
• “How do you communicate if your corporate email or chat platform is down?”
• “When was the last time you tested this process? What changed as a result?”
• “How do you coordinate with critical third parties and avoid contradictory statements?”

Hangups that trigger follow-ups: unclear approval authority, no evidence of testing, stale contact lists, and templates that contain unverifiable promises.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails in practice	Fix
One “generic” comms plan with no triggers	Teams argue whether it’s “really a crisis”	Define activation criteria tied to operational severity
Spokesperson authority is implied, not explicit	Conflicting statements and approval chaos	Write an authorized spokesperson list and enforce it
No backup channels	Primary tools fail during outages	Document degraded-mode communications and test it
Templates are drafted but not approved	Legal becomes a bottleneck	Pre-approve holding statements and common notices
Contact list is a spreadsheet with no owner	It becomes stale immediately	Assign an owner, add a review workflow, keep a change log
Exercises focus only on operations	Comms is where confusion shows up	Include comms drafting, approvals, and channel posting in exercises

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. From a risk perspective, the exposure is still real: inconsistent or delayed communications can escalate operational incidents into contractual disputes, customer attrition, regulator attention (depending on your sector), and litigation discovery risk. ISO 22301 auditors typically treat communications as a core BCMS capability because it affects response coordination and stakeholder confidence. ¹

Practical 30/60/90-day execution plan

Days 0–30: Establish the minimum viable crisis communications capability

• Name owners: Crisis Communications Lead, executive sponsor, legal reviewer, incident commander liaison.
• Draft crisis communications procedure with activation criteria and a one-page workflow.
• Build RACI and authorized spokesperson list with alternates.
• Inventory channels and pick primary/backup methods.
• Create a first-pass template pack: holding statement, customer update, internal memo, resolution notice.
• Assemble stakeholder contact lists and assign an owner with a change log.

Exit criteria: You can run an incident and publish controlled, authorized updates across your defined channels.

Days 31–60: Operationalize approvals, evidence, and third-party coordination

• Define approvals tiers: what is pre-approved vs. needs legal/executive review.
• Add third-party communications procedures: how to request facts, who can approve joint statements, how to handle blame language.
• Train the roles (short, role-based training).
• Implement evidence capture: where approvals, drafts, and final comms are stored and how they are linked to incidents.

Exit criteria: You can show an auditor the process plus operational records (training, approvals, change logs).

Days 61–90: Test under stress and close audit gaps

• Run a tabletop that forces cross-channel coordination and degraded-mode communications.
• Run a second exercise that includes a third-party outage scenario.
• Conduct an after-action review and update artifacts (templates, RACI, channels, contacts).
• Formalize periodic reviews in your GRC workflow (ownership, due dates, attestations).

Exit criteria: Exercised capability with tracked improvements and current documentation.

Frequently Asked Questions

Do we need a dedicated PR team to meet the crisis communications management requirement?

No. You need clearly assigned roles and authority, even if the “comms function” is a small set of trained staff or executives. Document authorized spokespersons, alternates, and the approval path so communications still work after hours.

How do we handle crisis communications when the disruption is caused by a third party?

Define a coordination step: request confirmed facts, align on timelines, and control joint statements. Your templates should avoid attributing fault until validated, and your plan should name who manages third-party outreach and approvals.

What evidence is most persuasive in an ISO 22301 audit?

Version-controlled procedures, maintained contact lists with ownership and change logs, approved templates, and exercise records with after-action improvements. Real incident examples (redacted) that show approvals and timestamps are strong support. ¹

How do we prevent inconsistent messaging across support, sales, and executives?

Establish a single source of truth (often the status page or incident summary) and require customer-facing teams to use approved scripts that reference it. Put one role in charge of coordinating updates across all channels.

Can we store crisis communications artifacts in our ticketing or incident tool instead of a separate repository?

Yes, if you can preserve approvals, final messages, timestamps, and retention. Auditors care that records are complete, retrievable, and tied to specific incidents or exercises.

Where does Daydream fit into this requirement?

Daydream helps you turn crisis communications into a controlled requirement with mapped artifacts, recurring reviews for contact lists/templates, and audit-ready evidence linking exercises and incidents to the documented process.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control lifecycle management

Footnotes

1. ISO 22301 overview