ISO27001:2022

ISO27001 Clauses

ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 Planning Of Changes

ISO 27001 Clause 7.1 Resources

ISO 27001:2022 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

ISO27001 Organisation Controls

ISO27001 Annex A 5.1 Policies for information security

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO27001 Annex A 5.3 Segregation of duties

ISO27001 Annex A 5.4 Management responsibilities

ISO27001 Annex A 5.5 Contact with authorities

ISO27001 Annex A 5.6 Contact with special interest groups

ISO27001 Annex A 5.7 Threat intelligence

ISO27001 Annex A 5.8 Information security in project management

ISO27001 Annex A 5.9 Inventory of information and other associated assets

ISO27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO27001 Annex A 5.11 Return of assets

ISO27001 Annex A 5.12 Classification of information

ISO27001 Annex A 5.13 Labelling of information

ISO27001 Annex A Cotrol 5.14 Information transfer

ISO27001 Annex A 5.15 Access control

ISO27001 Annex A 5.16 Identity management

ISO27001 Annex A 5.17 Authentication information

ISO27001 Annex A 5.18 Access rights

ISO27001 Annex A 5.19 Information security in supplier relationships

ISO27001 Annex A 5.20 Addressing information security within supplier agreements

ISO27001 Annex A 5.21 Managing information security in the ICT supply chain

ISO27001 Annex A 5.22 Monitoring, review and change management of supplier services

ISO27001 Annex A 5.23 Information security for use of cloud services

ISO27001 Annex A 5.24 Information security incident management planning and preparation

ISO27001 Annex A 5.25 Assessment and decision on information security events

ISO27001 Annex A 5.26 Response to information security incidents

ISO27001 Annex A 5.27 Learning from information security incidents

ISO27001 Annex A 5.28 Collection of evidence

ISO27001 Annex A 5.29 Information security during disruption

ISO 27001 Annex A Cotrol 5.30 ICT readiness for business continuity

ISO27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO27001 Annex A 5.32 Intellectual property rights

ISO27001 Annex A 5.33 Protection of records

ISO27001 Annex A 5.34 Privacy and protection of PII

ISO27001 Annex A 5.35 Independent review of information security

ISO27001 Annex A 5.36 Compliance with policies and standards for information security

ISO27001 Annex A 5.37 Documented operating procedures

ISO27001 People Controls

ISO27001 Annex A 6.1 Screening

ISO27001 Annex A 6.2 Terms and conditions of employment

ISO27001 Annex A 6.3 Information security awareness, education and training

ISO27001 Annex A 6.4 Disciplinary process

ISO27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO27001 Annex A 6.7 Remote working

ISO27001 Annex A 6.8 Information security event reporting

ISO27001 Physical Controls

ISO27001 Annex A 7.1 Physical security perimeter

ISO27001 Annex A 7.2 Physical entry controls

ISO27001 Annex A 7.3 Securing offices, rooms and facilities

ISO27001 Annex A 7.4 Physical security monitoring

ISO27001 Annex A 7.5 Protecting against physical and environmental threats

ISO27001 Annex A 7.6 Working in secure areas

ISO27001 Annex A 7.7 Clear desk and clear screen

ISO27001 Annex A 7.8 Equipment siting and protection

ISO27001 Annex A 7.9 Security of assets off-premises

ISO27001 Annex A 7.10 Storage media

ISO27001 Annex A 7.11 Supporting Utilities

ISO27001 Annex A 7.12 Cabling Security

ISO27001 Annex A 7.13 Equipment Maintenance

ISO27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment

ISO27001 Technical Controls

ISO27001 Annex A 8.1 User Endpoint Devices

ISO27001 Annex A 8.2 Privileged Access Rights

ISO27001 Annex A 8.3 Information Access Restriction

ISO27001 Annex A 8.4 Access To Source Code

ISO27001 Annex A 8.5 Secure Authentication

ISO27001 Annex A 8.6 Capacity Management

ISO27001 Annex A 8.7 Protection Against Malware

ISO27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO27001 Annex A 8.9 Configuration Management 

ISO27001 Annex A 8.10 Information Deletion

ISO27001 Annex A 8.11 Data Masking

ISO27001 Annex A 8.12 Data Leakage Prevention

ISO27001 Annex A 8.13 Information Backup

ISO27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO27001 Annex A 8.15 Logging

ISO27001 Annex A 8.16 Monitoring Activities

ISO27001 Annex A 8.17 Clock Synchronisation

ISO27001 Annex A 8.18 Use of Privileged Utility Programs

ISO27001 Annex A 8.19 Installation of Software on Operational Systems

ISO27001 Annex A 8.20 Network Security

ISO27001 Annex A 8.21 Security of Network Services

ISO27001 Annex A 8.22 Segregation of Networks

ISO27001 Annex A 8.23 Web Filtering

ISO27001 Annex A 8.24 Use of Cryptography

ISO27001 Annex A 8.25 Secure Development Life Cycle

ISO27001 Annex A 8.26 Application Security Requirements

ISO27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO27001 Annex A 8.28 Secure Coding

ISO27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO27001 Annex A 8.30 Outsourced Development

ISO27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO27001 Annex A 8.32 Change Management

ISO27001 Annex A 8.33 Test Information

ISO27001 Annex A 8.34 Protection of information systems during audit testing

Home / ISO 27001 Clauses / The Ultimate Guide to ISO 27001:2022 Clause 7.4: Communication

The Ultimate Guide to ISO 27001:2022 Clause 7.4: Communication

Last updated Sep 15, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Communication

ISO 27001 Communication

ISO 27001 Communication is the requirement to have a plan for communications for information security. to follow the plan and to evidence that you followed the plan.

In ISO 27001 this is known as ISO27001:2022 Clause 7.4: Communication. It is one of the mandatory ISO 27001 clauses.

ISO 27001 communication is making people aware of what is expected of them for information security and consequences of not doing what is expected. It is about planning communications and following the plan.

Table of contents

What is ISO 27001 Clause 7.4 and Why is it Important?

ISO 27001 Clause 7.4 is communication and it focuses on sharing key aspects of the information security management system (ISMS) with relevant individuals. While certain communications are mandatory under the standard, others are highly recommended for a robust ISMS.

Communication can take various forms, including written and verbal methods. Organisation should leverage a diverse range of communication approaches tailored to their specific style, culture, and target audience. This variety is crucial for maximising effectiveness, as individuals respond differently to various communication styles.

Effective communication offers several key benefits:

Enhanced Security: By informing individuals about risks and providing clear guidance, organisations empower them to make informed decisions, exercise sound judgment, and protect both themselves and the organisation.

Fostering a Culture of Information Security: Training and awareness are fundamental to a strong information security posture. Effective communication, combined with training initiatives, significantly reduces information security risks and incidents.

Purpose and Definition

The purpose of ISO 27001 clause 7.4 Communication is to make sure you have an information security communication plan and that you act on that plan.

The ISO 27001 standard defines ISO 27001 Clause 7.4 Communication as:

The organisation shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate

ISO 27001:2022 Clause 7.4 Communication
ISO 27001 Toolkit
Get the ISO 27001 Certification Kit >

ISO 27001 Clause 7.4 Explained: A Complete Guide

In this ISO 27001 Tutorial, How to Implement ISO 27001 Clause 7.4 Communication, I show you how to implement it and how to pass the audit.

The 5 W’s of ISO 27001 Communication

There are numerous ways to communicate and raise awareness, and the most effective methods will depend on your company culture and available tools. Consider the approaches that have proven successful for your organisation and, where possible, retain evidence of your communications.

While email is a useful tool, other options include stand-up meetings, presentations at company-wide gatherings, and even bringing in external experts. There’s no single, universally applicable solution.

Regardless of the methods you choose, document them in your communication plan.

1. What to communicate

What you need to communicate is covered in the standard. You may choose to do the bare minimum for communication or to go a step further. The more you communicate the more you will enhance and improve your information security posture.

Key things to communicate include:

  • Location of information security policies
  • The information security policies themselves
  • How to report an information security incident or breach
  • Who is the primary contact for information security
  • Information security training
  • Information security management reviews that have a dedicated agenda of what needs to be discussed
  • Information security measures and monitors
  • Information security risks
  • Information security treat intelligence
  • Information security audit planning
  • Continual improvement and changes to the information security management system (ISMS)

2. When to communicate

There’s no prescribed timeframe for all ISMS communications. While many, if not all, elements should be communicated at least annually, numerous aspects can, and often should, be communicated more frequently.

Examples of situations requiring communication include:

  • Management Reviews – Every month, every three months or every six months
  • Location of information security policies – every three months or every six months or annually
  • The information security policies themselves – every three months or every six months or annually
  • How to report an information security incident or breach – every three months or every six months or annually
  • Who is the primary contact for information security – every three months or every six months or annually
  • Information security training – ongoing or every three months or every six months or annually
  • Information security measures and monitors – monthly
  • Information security risks – monthly
  • Information security treat intelligence – monthly
  • Information security audit planning – every month, every three months or every six months
  • Continual improvement and changes to the information security management system (ISMS) – monthly

3. With whom to communicate

Determining the appropriate recipients for communication involves understanding both individual needs and the requirements of the information security management system (ISMS). While some communications, such as training, will be organisation-wide, others will be targeted at specific groups, like management reviews, risk assessments, incident response teams, and threat intelligence units.

A stakeholder analysis is a valuable tool for identifying key stakeholders and their respective information needs. This process, while seemingly complex initially, becomes straightforward as the ISMS is implemented and its requirements are clarified.

4. Who should communicate

According to ISO 27001 Clause 7.4, the organization must define who should communicate as a part of its information security management system (ISMS). This is a crucial step for ensuring accountability and clarity. The standard doesn’t prescribe specific job titles but rather requires the organization to assign roles and responsibilities for communication. For example, a senior manager might be responsible for communicating policies to the entire staff, while a specific department head handles updates relevant to their team. It’s essential to document these roles to ensure everyone knows what is expected of them, from senior management to every employee.

5. How to communicate

Organisations typically employ a variety of communication methods. Common approaches include meetings (team meetings, company updates, quarterly reviews, and personnel reviews), email, and instant messaging platforms. Company bulletin boards, such as SharePoint or Confluence, are also frequently used.

Training itself is a form of communication, and the chosen delivery method (face-to-face, webinar, or via dedicated training tools) impacts how information is conveyed.

Formal communications, such as legal contracts and agreements with staff and third parties, also play a significant role.

When determining the most effective communication strategies, organisations should consider their existing culture and established communication channels. Consulting with HR is highly recommended to gain insights into preferred communication approaches.

How to implement ISO 27001 Clause 7.4: Step-By-Step

In this step by step implementation checklist to ISO 27001 resource I show you, based on real world experience and best practice, the best way to implement Clause 7.1.

When planning communications take into account the following:

  • what to communicate
  • when to communicate
  • with whom to communicate and
  • how to communicate

Time needed: 1 hour and 30 minutes

How to implement ISO 27001 Clause 7.4 Communication

  1. Write a Communication Plan

    Have a communication plan that documents:
    on what you communicated
    when you communicated
    with whom you communicated
    who communicated it
    the processes by which communication took place
    and if possible evidence that you communicated.

  2. During Onboarding of Staff or Third Parties

    Onboarding should include providing new employees with copies of relevant policies and the employee handbook. A dedicated, face-to-face session should be conducted to explain the organisation’s information security approach. This session should cover the location of key policies, identify those responsible for information security, and detail the process for reporting a security incident. Crucially, the session should clearly articulate how the employee’s role contributes to overall information security and outline their specific responsibilities. New hires should also be enrolled in general information security awareness training and basic GDPR/Data Protection training (either through a training tool or via face-to-face instruction). Attendance and understanding should be documented, with employees signing an acknowledgement of completion.

  3. Throughout the Year

    Plan your communication throughout the year based on risk and business need. As well as the information security and data protection training perhaps people need educating on the risks of home working. Or perhaps on the perils of phishing attacks. The process of communication should be on going. Throughout the year you are going to hold Management Review Meetings that meet the very specific requirements of the ISO 27001 standard and cover a lot of the bases for communicating to senior management.

  4. Annually

    Conduct the general information security awareness training and the general data protection training at least annually. Even it is just a refresher people should formally go through basic training once a year.

  5. On Ending Employment / Engagement

    Ensure that at the end of employment or the end of engagement that you communicate the contractual obligations that are, and will remain, in play in regards to information security.

  6. Continual Improvement

    Continually update your communication plan to respond to known threats, risks and issues.

10 real world examples of ISO 27001 Communications

There are common communications that are going to happen as part of your project’s implementation and throughout the year, the annual cycle of your information security management system.

The following are 10 real world examples of ISO 27001 Communications:

  1. information security overview training
  2. training people on information security in their role
  3. training the management team on the role of the management team
  4. training people on the ISO 27001 framework
  5. telling people where the ISO 27001 policies are
  6. telling people how they raise an incident if something goes wrong
  7. telling people who is ultimately responsible in the organisation for information security
  8. telling people how to take an audit
  9. giving people technical security training

ISO 27001 Communication Plan Example

A communication plan is a simple document and this is a practical example of an ISO 27001 communication plan:

ISO 27001 Communication Plan Example

How can an ISO 27001 Toolkit help with ISO 27001 Clause 7.4 Resources?

For ISO 27001 Clause 7.1 Resources the entire ISO 27001 toolkit is relevant but in particular the following templates directly support this ISO 27001 clause:

ISO 27001 communication plan template

The ISO 27001 communication plan template is the central document that guides how your organization shares information, and it’s essential for providing auditors with the evidence they need.

ISO27001 Communication Plan Template

ISO 27001 training and awareness policy template

Your ISO 27001 training and awareness policy is the core document that builds a security-conscious culture, ensuring everyone understands and fulfils their role in protecting the organisation

ISO27001 Training and Awareness Policy-Black

How to audit ISO 27001 Clause 7.4

This audit checklist is a guide on how to conduct an internal audit of ISO 27001clause 7.4 Communication based on what the ISO 27001 certification auditor will audit. It gives practical audit tips including what to audit and how.

1. Review the Communication Plan

Verify the existence and adequacy of a documented communication plan, ensuring it covers both internal and external communication related to the ISMS.

  • Examine the communication plan document for completeness, clarity, and alignment with the ISMS objectives.
  • Interview the individual responsible for maintaining the plan.

2. Identify Stakeholder Coverage

Confirm that all relevant interested parties have been identified and their communication needs considered in the plan.

  • Review the interested parties analysis documentation.
  • Interview representatives from different interested parties to validate their communication needs are being met.

3. Evaluate Communication Objectives

Assess whether communication objectives are clearly defined, measurable, and aligned with the overall ISMS goals.

  • Examine the communication plan and individual communication activity documentation for clearly stated objectives.
  • Interview management to understand the intended outcomes of communication activities.

4. Check Communication Channel Selection

Verify that appropriate communication channels are being used to reach different interested parties effectively.

  • Review the communication plan and examples of communication materials.
  • Interview interested parties to gauge their satisfaction with the chosen communication channels.

5. Assess Content Quality

Evaluate the clarity, conciseness, and relevance of communication content.

  • Review examples of communication materials (e.g., emails, newsletters, presentations) for clarity, accuracy, and appropriate tone.
  • Interview interested parties for their feedback on the quality of information received.

6. Verify Communication Frequency

Determine if the frequency of communication is appropriate for different types of information and target audiences.

  • Review the communication schedule and interview interested parties to assess if the frequency of communication is adequate, avoiding both under- and over-communication.

7. Inspect Communication Processes

Check if documented processes are in place for managing communication activities, including drafting, reviewing, approving, and distributing information.

  • Examine documented communication procedures.
  • Interview staff involved in communication activities to verify their understanding and adherence to the procedures.

8. Evaluate Feedback Mechanisms

Verify that mechanisms are in place for receiving feedback from interested parties and that this feedback is used to improve future communications.

  • Review records of feedback received (e.g., survey results, feedback forms).
  • Interview the individual responsible for managing feedback and how it is used to improve communication.

9. Inspect Communication Records

Ensure that adequate records of communication activities are maintained, including what was communicated, to whom, when, and how.

  • Review communication logs, distribution lists, and other relevant records.
  • Verify the completeness and accuracy of the records.

10. Assess Communication Effectiveness

Evaluate the overall effectiveness of communication activities in achieving their intended objectives.

  • Review reports on communication effectiveness (e.g., metrics related to reach, engagement, and feedback).
  • Interview management and interested parties to gauge their perception of communication effectiveness.

How to pass the ISO 27001 Clause 7.4 audit

Having a communication plan that records what you communicated, when, to whom and the evidence that you did is the main part of showing compliance to the clause.

ISO 27001 Clause 7.4: Communication FAQ

What is ISO 27001 Clause 7.4 Communication?

The ISO 27001 standard requires an that the organisation shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.

What are the ISO 27001:2022 Changes to Clause 7.4?

There are minor changes to ISO 27001 Clause 7.4 Communication in the 2022 update. The changes can be seen as a simplification. It removes who shall communicate and replaces it with how to communicate and it completely removes the need to show the processes by which communication shall be effected.
It is our opinion that keeping who and the process of how is good practice but you can, if you wish, not account for it directly.

How do I evidence I meet the requirement of ISO 27001 Communication?

You evidence compliance to the ISO 27001 Clause 7.4 Communication by having a communication plan that records
a) on what you communicated
b) when you communicated
c) with whom you communicated
d) who communicated it
e) the processes by which communication took place
f) and if possible evidence that you communicated.

Where can I download ISO 27001 Communication templates?

You can download ISO 27001 Communication templates in the ISO 27001 Toolkit.

ISO 27001 Clause 7.4 Communication example?

An example of ISO 27001 Clause 7.4 Communication can be found in the ISO 27001 Toolkit.

Download a copy of an ISO 27001 communication plan template?

The communication plan template for ISO 27001 can be downloaded here.

Is there an example of an ISO 27001 communication plan?

Yes, you can download an example of an ISO 27001 communication plan here.

ISO 27001 Clause 7.3: Awareness: Clause 7.3

Further Reading

How to conduct an ISO 27001 Management Review Meeting

ISO 27001 Security Awareness Training Policy Beginner’s Guide

Record Of Processing Activities (ROPA) Template

Tags: ISO 27001 Reference Guide
Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

Book a Call
ISO 27001 Toolkit Business Edition
ISO 27001 Jumpstart Kit
ISO 27001 Certification Kit
ISO 27001 Consultant Toolkit
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.