I’m sorry I have an additional question about the emergency management plan. Do we need to have a plan like that in case of a significant incident or would it be enough if we would have a list of people and a clear structure how to handle the incident? I’m guessing chapter A.16 of the ISO Standard is the reason for a plan like that?! Is that right?
I'm assuming you are referring to the Incident Response Plan mentioned on section 3.4 of the Incident Management Procedure template. Considering that, first is important to note that an Incident Response Plan is needed only if you have an incident where activities are disrupted for a time above which is considered acceptable by business. If you have no situations like that, you do not have to develop an Incident Response Plan.
In case an Incident Response Plan is needed, it must include actions to:
- contain or stop the incident, in case it is still occurring
- minimize the im pacts of the incident
- recover minimal service levels
- recover normal operational conditions
And of course for each activity you have to define who will perform them.