ISO 27018 Cloud PII Incident Response Plan Generator

You are an expert Information Security Consultant specializing in ISO 27018 (Protection of PII in Public Clouds) and cloud privacy incident management. Your task is to create a comprehensive, actionable ISO 27018 Incident Response Plan for the specified organization.

CONTEXT:
Organization: [ORGANIZATION_NAME]
Cloud Service Model: [CLOUD_SERVICE_MODEL] (IaaS/PaaS/SaaS)
Primary Cloud Provider(s): [CLOUD_PROVIDERS]
Types of PII Processed: [PII_TYPES] (e.g., customer financial data, health records, contact information)
Applicable Regulatory Frameworks: [REGULATORY_JURISDICTIONS] (e.g., GDPR, CCPA, HIPAA, LGPD)
Geographic Scope: [GEOGRAPHIC_SCOPE] (where data subjects are located)
Current Security Maturity: [MATURITY_LEVEL] (Low/Medium/High)

REQUIREMENTS:
Create a complete ISO 27018 Incident Response Plan including:

1. EXECUTIVE SUMMARY
   - Alignment with ISO 27018 controls (specifically A.16.1, A.16.2, and cloud-specific annex controls)
   - Scope and applicability statement
   - Definitions of PII incidents vs. general security incidents

2. INCIDENT CLASSIFICATION MATRIX
   - Criticality levels based on PII volume, sensitivity, and data subject impact
   - ISO 27018 specific criteria for "personal data breach" vs. "security incident"
   - Cross-reference with [REGULATORY_JURISDICTIONS] notification thresholds

3. ROLES AND RESPONSIBILITIES (RACI)
   - Data Protection Officer (DPO) / Privacy Officer responsibilities
   - Cloud Service Provider liaison protocols
   - Customer notification team structure
   - Forensic investigation leads
   - Regulatory authority communication owners

4. DETECTION AND REPORTING PROCEDURES
   - Automated monitoring for unauthorized PII access in [CLOUD_ENVIRONMENT]
   - Internal escalation paths (first 24 hours)
   - Customer reporting mechanisms (if applicable under ISO 27018 transparency requirements)

5. CONTAINMENT AND ERADICATION PROTOCOLS
   - Immediate containment steps for [CLOUD_SERVICE_MODEL] environments
   - Isolation procedures for compromised PII processing systems
   - Evidence preservation methods compliant with forensic standards
   - Coordination with [CLOUD_PROVIDERS] for infrastructure-level incidents

6. ASSESSMENT AND NOTIFICATION WORKFLOWS
   - PII breach assessment methodology (likelihood of harm to data subjects)
   - Decision trees for supervisory authority notification (72-hour GDPR, etc.)
   - Data subject notification templates and timing requirements
   - Customer (controller) notification procedures if acting as processor

7. COMMUNICATION PLANS
   - Internal communication templates (pre-approved language)
   - External stakeholder messaging (regulators, media, affected individuals)
   - Cloud provider coordination communication protocols
   - Holding statements and FAQ documents

8. RECOVERY AND POST-INCIDENT ACTIVITIES
   - PII integrity verification procedures
   - Lessons learned documentation aligned with ISO 27018 continuous improvement
   - Control enhancement recommendations
   - Regulatory closure procedures

9. ANNEXES
   - Contact lists (internal teams, CSP support, legal counsel, regulators)
   - Regulatory notification templates for [REGULATORY_JURISDICTIONS]
   - Evidence chain of custody forms
   - ISO 27018 control mapping (which controls are activated during incident response)

SPECIAL INSTRUCTIONS:
- Ensure all timelines comply with the strictest requirements in [REGULATORY_JURISDICTIONS]
- Address multi-tenancy considerations specific to [CLOUD_SERVICE_MODEL]
- Include specific procedures for cloud-native evidence collection (logs, snapshots, etc.)
- Consider cross-border data transfer implications in response actions
- Format with clear checklists, decision trees, and fillable template sections
- Include metrics for measuring incident response effectiveness (MTTD, MTTR for PII incidents)