The ISO 27001 Clause 7.4 audit checklist is designed to help an ISO 27001 Lead Auditor conduct internal audits and external audits of ISO 27001 Clause 7.4 Communication.
The 10 point ISO 27001 audit plan sets out what to audit, the challenges faced and the audit techniques to adopt.
With over 30 years industry experience I will show you the audit checklist used by professional ISO 27001 Lead Auditors for ISO 27001 certification.
I am Stuart Barker, author of the Ultimate ISO 27001 Toolkit and this is the ISO 27001 Communication audit checklist.
Internal Communication Processes
The organisation should have documented processes for internal communication related to the ISMS. This includes who communicates what, when, and how.
Challenges
Ensuring all relevant stakeholders are included in communication flows, maintaining consistency of messaging, and managing the volume of communications.
Audit Techniques
Review documented communication procedures, interview staff across different departments to verify their understanding and adherence, and examine records of internal communications (e.g., meeting minutes, emails).
External Communication Processes
Similar to internal communication, documented processes should exist for external communication regarding the ISMS, especially with interested parties like customers, suppliers, and regulators.
Challenges
Managing sensitive information shared externally, ensuring consistent communication with diverse audiences, and complying with legal and contractual obligations.
Audit Techniques
Review documented external communication procedures, examine records of external communications (e.g., letters, contracts, emails), and interview staff responsible for external communications.
Communication of ISMS Performance
Information about the ISMS’s performance, including its effectiveness and areas for improvement, should be communicated to relevant stakeholders.
Challenges
Presenting complex information in a clear and understandable way, ensuring transparency without revealing sensitive details, and tailoring communication to different audiences.
Audit Techniques
Review reports on ISMS performance, interview management about how they communicate this information, and assess the effectiveness of communication channels used.
Communication of Security Incidents
Processes should be in place for reporting and communicating security incidents, both internally and externally (where required).
Challenges
Containing the spread of misinformation during an incident, complying with data breach notification requirements, and managing reputational damage.
Audit Techniques
Review the incident response plan, including communication protocols, examine records of past incidents and how they were communicated, and interview incident response team members.
Communication of ISMS Changes
Changes to the ISMS, such as new policies or procedures, should be communicated to relevant stakeholders.
Challenges
Ensuring all affected parties are aware of changes, providing sufficient lead time for implementation, and managing resistance to change.
Audit Techniques
Review the change management process, examine records of communicated changes, and interview staff about their awareness and understanding of recent changes.
Communication of Roles and Responsibilities
Roles and responsibilities related to the ISMS should be clearly communicated to individuals.
Challenges
Ensuring everyone understands their responsibilities, avoiding overlap or gaps in responsibilities, and keeping role assignments up to date.
Audit Techniques
Review organisational charts and role descriptions, interview staff to confirm their understanding of their responsibilities, and examine training records.
Communication of ISMS Policies and Procedures
ISMS policies and procedures should be readily accessible and communicated to relevant personnel.
Challenges
Making policies and procedures easy to understand, ensuring they are readily available to all staff, and managing version control.
Audit Techniques
Review the availability of ISMS documentation, interview staff about their access to and understanding of policies and procedures, and check document version control.
Communication of Training and Awareness
Communication plays a vital role in ISMS training and awareness programmes.
Challenges
Delivering effective training, ensuring staff engagement, and measuring the effectiveness of awareness campaigns.
Audit Techniques
Review training materials and records, interview staff about their training experiences, and assess the effectiveness of awareness campaigns (e.g., through phishing tests).
Language and Accessibility
Communication should be in a language and format that is easily understood by all recipients, considering accessibility needs.
Challenges
Catering to a diverse workforce with varying language skills and accessibility requirements.
Audit Techniques
Review communication materials for clarity and accessibility, and interview staff about their understanding of communicated information.
Feedback Mechanisms
The organisation should have mechanisms for receiving feedback on the ISMS and its communication processes.
Challenges
Encouraging staff to provide feedback, managing the feedback process effectively, and acting on feedback received.
Audit Techniques
Review the feedback process, examine records of feedback received, and interview staff about their opportunities to provide feedback.
Further Reading
ISO 27001 Clause 7.4 Communication
