Register Owner: CISO (internal) and General Counsel (external/regulatory)
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001:2022 cl. 7.4; supports SOC 2 CC2.x and ISO/IEC 42001
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001:2022 cl. 7.4; supports SOC 2 CC2.x and ISO/IEC 42001
1. Internal communications
| What | Audience | When / cadence | By whom | Channel |
|---|---|---|---|---|
| Policy publication & material changes | All workforce | On approval; re-ack on material change | CISO + CHRO | Vanta acknowledgement; docs site |
| Security-awareness training | All workforce | At hire + annually | CHRO via Vanta | Vanta training |
| Security/privacy incident reporting | Reporter → Security | Immediately on discovery | All staff | security@neuroscale.ai; Linear |
| Incident status (P0/P1) | Affected internal teams | During incident | Incident Manager | War-room channel |
| System changes affecting users | Authorized internal users | Before/at change | CTO / Eng | Changelog; internal comms |
| ISMS/AIMS objectives & review outcomes | Management; control owners | Each management review | CISO | ISMS-MR minutes |
| Risk register / audit findings | Control owners; management | Quarterly + on finding | CISO | Risk register; Linear |
2. External communications
| What | Audience | When | By whom | Channel |
|---|---|---|---|---|
| Security commitments | Customers / prospects | Pre-contract; on change | GC / Sales | MSA / ToS; Trust Center |
| Sub-processor changes | Customers | ≥ 30 days before (or 14 if exigent) | GC | Subprocessor List subscription |
| Critical system changes | Customers | Before/at change | CTO / CS | Status page; customer notice |
| Service availability / status | Customers | Real-time + on incident | CTO | Status page (Better Stack) |
| Breach / incident notification | Customers; data subjects | Without undue delay / per law & contract | GC | Customer Communications templates |
| Regulatory & supervisory-authority reports | Regulators / AGs / DPAs | Per statutory deadline | GC | Authority intake; regulatory-correspondence log |
| AI serious-incident reports | Market-surveillance / AG | Per AI Serious-Incident Reporting | GC | Authority mechanism |
| Privacy notices & AI transparency | Public / candidates | Published; kept current | GC | Privacy Notice; AI Transparency |
| Whistleblower channel | Workforce + third parties | Continuous | CEO / VGC | GlobaLeaks; Whistleblower Policy |
3. Principles
- Communications use defined, named owners; external regulatory communications route through the General Counsel.
- Confidential/incident communications follow need-to-know and the Incident Response Policy privilege handling.
- The authoritative cadence for any recurring communication is the source policy/procedure; this plan indexes them.
Cross-references
- Information Security Policy · Customer Communications · Outbound Communications Policy
- Incident Response Policy · AI Serious-Incident Reporting
- Compliance Calendar
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial information security communication plan. | Cameron Wolfe | Ishan Jadhwani |