Reporting
Report incidents to stakeholders and authorities.
9 of 9 frameworks cover this control
Framework Mappings
How Reporting maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | RS.CO-02 |
| ISO 27001 | Covered | A.5.5 A.5.24 A.6.8 |
| CIS v8 | Covered | CIS 17.3 |
| SOC 2 | Covered | CC2.3 CC7.3 |
| PCI DSS | Covered | 12.10.1 12.10.6 |
| CMMC | Covered | IR.L2-3.6.2 IR.L2-3.6.3 |
| 800-53 | Covered | IR-6 IR-7 IR-8 |
| HIPAA | Covered | §164.308(a)(6)(ii) §164.404(a)(1) §164.408(a) |
| GDPR | Covered | Art.33(1) Art.34(1) |
About Reporting
Reporting is a cybersecurity control in the Respond domain. Report incidents to stakeholders and authorities. Incident reporting ensures that cybersecurity events are documented and communicated to appropriate internal stakeholders, regulatory bodies, and law enforcement agencies as required by applicable laws and contractual obligations. Reports should include incident timelines, affected systems and data, containment actions taken, root cause analysis, and remediation steps. Organizations must maintain awareness of all applicable reporting requirements, including sector-specific regulations like HIPAA breach notification rules, CISA reporting requirements for critical infrastructure, and contractual SLA commitments to customers and partners.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.