Table of contents
ISO 27001 Communication
ISO 27001 communication is making people aware of what is expected of them for information security and consequences of not doing what is expected. It is about planning communications and following the plan.
What is ISO 27001 Clause 7.4?
ISO 27001 Clause 7.4, Communication, focuses on sharing key aspects of the information security management system (ISMS) with relevant individuals. While certain communications are mandatory under the standard, others are highly recommended for a robust ISMS.
Communication can take various forms, including written and verbal methods. Organisation should leverage a diverse range of communication approaches tailored to their specific style, culture, and target audience. This variety is crucial for maximising effectiveness, as individuals respond differently to various communication styles.
Effective communication offers several key benefits:
Enhanced Security: By informing individuals about risks and providing clear guidance, organisations empower them to make informed decisions, exercise sound judgment, and protect both themselves and the organisation.
Fostering a Culture of Information Security: Training and awareness are fundamental to a strong information security posture. Effective communication, combined with training initiatives, significantly reduces information security risks and incidents.
Definition
ISO 27001 defines ISO 27001 Communication as:
The organisation shall determine the need for internal and external communications relevant to the information security management system including:
ISO 27001:2022 Clause 7.4 Communication
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Implementation Guide
Key Points
When planning communications take into account the following:
- what to communicate
- when to communicate
- with whom to communicate and
- how to communicate
ISO 27001 Communication Examples
There are common communications that are going to happen as part of your project’s implementation and throughout the year, the annual cycle of your information security management system.
Evidence and examples of communication include
- information security overview training
- training people
- training the management team
- training on the ISO 27001 framework
- where policies are
- how they raise an incident if something goes wrong
- who is ultimately responsible in our organisation for information security.
- how to take an audit
- technical training
Approaches to Communicating
There are numerous ways to communicate and raise awareness, and the most effective methods will depend on your company culture and available tools. Consider the approaches that have proven successful for your organisation and, where possible, retain evidence of your communications.
While email is a useful tool, other options include stand-up meetings, presentations at company-wide gatherings, and even bringing in external experts. There’s no single, universally applicable solution.
Regardless of the methods you choose, document them in your communication plan.
Implement a Communication Plan
Have a communication plan that documents:
- on what you communicated
- when you communicated
- with whom you communicated
- who communicated it
- the processes by which communication took place
- and if possible evidence that you communicated.
During Onboarding of Staff or Third Parties
Onboarding should include providing new employees with copies of relevant policies and the employee handbook. A dedicated, face-to-face session should be conducted to explain the organisation’s information security approach. This session should cover the location of key policies, identify those responsible for information security, and detail the process for reporting a security incident. Crucially, the session should clearly articulate how the employee’s role contributes to overall information security and outline their specific responsibilities. New hires should also be enrolled in general information security awareness training and basic GDPR/Data Protection training (either through a training tool or via face-to-face instruction). Attendance and understanding should be documented, with employees signing an acknowledgement of completion.
Throughout the Year
Plan your communication throughout the year based on risk and business need. As well as the information security and data protection training perhaps people need educating on the risks of home working. Or perhaps on the perils of phishing attacks. The process of communication should be on going. Throughout the year you are going to hold Management Review Meetings that meet the very specific requirements of the ISO 27001 standard and cover a lot of the bases for communicating to senior management.
Annually
Conduct the general information security awareness training and the general data protection training at least annually. Even it is just a refresher people should formally go through basic training once a year.
On Ending Employment / Engagement
Ensure that at the end of employment or the end of engagement that you communicate the contractual obligations that are, and will remain, in play in regards to information security.
ISO 27001 Continual Improvement
Continually update your communication plan to respond to known threats, risks and issues.
What to communicate
What you need to communicate is covered in the standard. You may choose to do the bare minimum for communication or to go a step further. The more you communicate the more you will enhance and improve your information security posture.
Key things to communicate include
- Location of information security policies
- The information security policies themselves
- How to report an information security incident or breach
- Who is the primary contact for information security
- Information security training
- Information security management reviews that have a dedicated agenda of what needs to be discussed
- Information security measures and monitors
- Information security risks
- Information security treat intelligence
- Information security audit planning
- Continual improvement and changes to the information security management system (ISMS)
When to communicate
There’s no prescribed timeframe for all ISMS communications. While many, if not all, elements should be communicated at least annually, numerous aspects can, and often should, be communicated more frequently.
Examples of situations requiring communication include:
- Management Reviews – Every month, every three months or every six months
- Location of information security policies – every three months or every six months or annually
- The information security policies themselves – every three months or every six months or annually
- How to report an information security incident or breach – every three months or every six months or annually
- Who is the primary contact for information security – every three months or every six months or annually
- Information security training – ongoing or every three months or every six months or annually
- Information security measures and monitors – monthly
- Information security risks – monthly
- Information security treat intelligence – monthly
- Information security audit planning – every month, every three months or every six months
- Continual improvement and changes to the information security management system (ISMS) – monthly
With whom to communicate
Determining the appropriate recipients for communication involves understanding both individual needs and the requirements of the information security management system (ISMS). While some communications, such as training, will be organisation-wide, others will be targeted at specific groups, like management reviews, risk assessments, incident response teams, and threat intelligence units.
A stakeholder analysis is a valuable tool for identifying key stakeholders and their respective information needs. This process, while seemingly complex initially, becomes straightforward as the ISMS is implemented and its requirements are clarified.
How to communicate
Organisations typically employ a variety of communication methods. Common approaches include meetings (team meetings, company updates, quarterly reviews, and personnel reviews), email, and instant messaging platforms. Company bulletin boards, such as SharePoint or Confluence, are also frequently used.
Training itself is a form of communication, and the chosen delivery method (face-to-face, webinar, or via dedicated training tools) impacts how information is conveyed.
Formal communications, such as legal contracts and agreements with staff and third parties, also play a significant role.
When determining the most effective communication strategies, organisations should consider their existing culture and established communication channels. Consulting with HR is highly recommended to gain insights into preferred communication approaches.
Implementation Checklist
Communication ISO 27001 Clause 7.4 Implementation Checklist
Establish a Communication Plan
Develop a documented communication plan that outlines what information needs to be communicated, to whom, when, and how. This plan should cover both internal and external communications related to the ISMS.
Challenge:
Creating a plan that is comprehensive yet flexible enough to adapt to changing circumstances.
Solution:
Involve key interested parties in the planning process and build in regular review and update cycles for the plan.
Identify Stakeholders
Determine all relevant interested parties, both internal (e.g., employees, management) and external (e.g., customers, suppliers, regulators), who need to receive information about the ISMS.
Challenge:
Overlooking certain interested parties or misjudging their communication needs.
Solution:
Conduct a thorough stakeholder analysis, considering their roles and responsibilities, and information requirements.
Define Communication Objectives
Clearly define the objectives of each communication activity. What do you want to achieve by communicating this information? (e.g., raise awareness, provide training, report on performance).
Challenge:
Difficulty in defining measurable communication objectives.
Solution:
Use SMART (Specific, Measurable, Achievable, Relevant, Time-bound) criteria to define clear and measurable objectives.
Choose Communication Channels
Select appropriate communication channels based on the target audience and the nature of the information. Consider email, intranet, meetings, newsletters, presentations, etc.
Challenge:
Choosing the right channel to reach the intended audience effectively.
Solution:
Research the communication preferences of different interested parties and use a variety of communication channels to maximise reach.
Develop Communication Content
Create clear, concise, and engaging content that is tailored to the target audience. Avoid technical jargon and use language that is easily understood.
Challenge:
Creating content that is both informative and engaging, avoiding “information overload.”
Solution:
Use visual aids, real-world examples, and storytelling techniques to make the content more appealing and memorable.
Establish Communication Frequency
Determine the appropriate frequency for communicating different types of information. Some information may need to be communicated regularly, while other information may be ad-hoc.
Challenge:
Finding the right balance between keeping interested parties informed and avoiding “communication fatigue.”
Solution:
Develop a communication schedule that outlines the frequency of different types of communication and stick to it.
Implement Communication Processes
Establish clear processes for managing communication activities, including drafting, reviewing, approving, and distributing information.
Challenge:
Ensuring consistency and accuracy in communication processes.
Solution:
Document communication procedures and provide training to staff on how to follow them.
Manage Feedback
Establish mechanisms for receiving feedback from interested parties on communication activities. This feedback can be used to improve future communications.
Challenge:
Collecting and analysing feedback effectively.
Solution:
Use surveys, feedback forms, and other tools to gather feedback, and analyse the data to identify areas for improvement.
Document Communication Activities
Maintain records of all communication activities, including the information communicated, the target audience, the communication channel, and the date of communication.
Challenge:
Maintaining accurate and up-to-date records.
Solution:
Use a centralised platform or system to manage communication records.
Review and Improve
Regularly review the effectiveness of communication activities and make adjustments as needed. Consider feedback from interested parties and lessons learned from past communications.
Challenge:
Measuring the effectiveness of communication activities.
Solution:
Establish clear metrics for measuring communication effectiveness (e.g., reach, engagement, feedback) and track progress over time.
Audit Checklist
The following is a summary of the ISO 27001 Clause 7.4 Audit Checklist:
Review the Communication Plan
Verify the existence and adequacy of a documented communication plan, ensuring it covers both internal and external communication related to the ISMS.
Audit Technique: Examine the communication plan document for completeness, clarity, and alignment with the ISMS objectives. Interview the individual responsible for maintaining the plan.
Identify Stakeholder Coverage
Confirm that all relevant interested parties have been identified and their communication needs considered in the plan.
Audit Technique: Review the interested parties analysis documentation. Interview representatives from different interested parties to validate their communication needs are being met.
Evaluate Communication Objectives
Assess whether communication objectives are clearly defined, measurable, and aligned with the overall ISMS goals.
Audit Technique: Examine the communication plan and individual communication activity documentation for clearly stated objectives. Interview management to understand the intended outcomes of communication activities.
Check Communication Channel Selection
Verify that appropriate communication channels are being used to reach different interested parties effectively.
Audit Technique: Review the communication plan and examples of communication materials. Interview interested parties to gauge their satisfaction with the chosen communication channels.
Assess Content Quality:
Evaluate the clarity, conciseness, and relevance of communication content.
Audit Technique: Review examples of communication materials (e.g., emails, newsletters, presentations) for clarity, accuracy, and appropriate tone. Interview interested parties for their feedback on the quality of information received.
Verify Communication Frequency
Determine if the frequency of communication is appropriate for different types of information and target audiences.
Audit Technique: Review the communication schedule and interview interested parties to assess if the frequency of communication is adequate, avoiding both under- and over-communication.
Inspect Communication Processes
Check if documented processes are in place for managing communication activities, including drafting, reviewing, approving, and distributing information.
Audit Technique: Examine documented communication procedures. Interview staff involved in communication activities to verify their understanding and adherence to the procedures.
Evaluate Feedback Mechanisms
Verify that mechanisms are in place for receiving feedback from interested parties and that this feedback is used to improve future communications.
Audit Technique: Review records of feedback received (e.g., survey results, feedback forms). Interview the individual responsible for managing feedback and how it is used to improve communication.
Inspect Communication Records
Ensure that adequate records of communication activities are maintained, including what was communicated, to whom, when, and how.
Audit Technique: Review communication logs, distribution lists, and other relevant records. Verify the completeness and accuracy of the records.
Assess Communication Effectiveness
Evaluate the overall effectiveness of communication activities in achieving their intended objectives.
Audit Technique: Review reports on communication effectiveness (e.g., metrics related to reach, engagement, and feedback). Interview management and interested parties to gauge their perception of communication effectiveness.
Watch the Tutorial
Watch the ISO 27001 Tutorial – How to Implement ISO 27001 Clause 7.4 Communication
ISO 27001 Templates
ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.
These individual templates help meet the specific requirements of ISO 27001 communication
ISO 27001 communication plan template
ISO 27001 training and awareness policy template
ISO 27001 templates toolkit
How to comply
Having a communication plan that records what you communicated, when, to whom and the evidence that you did is the main part of showing compliance to the clause.
ISO 27001 References to Communication
There are several parts of the ISO 27001 standard that directly reference communication in addition to clause 7.4 and they are:
ISO 27001 Annex A 5.1 Policies for Information Security
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
ISO 27001 Annex A 5.1 Policies for Information Security
Here we see it isn’t enough just to have Information Security Policies but that we must in fact communicate them.
ISO 27001 Annex A 5.24 Information security incident management planning and preparation
The organisation should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities
ISO 27001 Annex A 5.24 Information security incident management planning and preparation
Communicating the incident management process is a key step so that everyone knows what to do if things go wrong. The basics would be to communicate ‘how to report and incident’ and ‘who is responsible for information security’.
ISO 27001 Annex A 6.4 Disciplinary Process
A disciplinary process should be formalised and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
ISO 27001 Annex A 6.4 Disciplinary Process
This is usually the function of the HR department and part of good HR practice. HR will have many communication requirements of their own but we are interested for ISO 27001 certification in ensuring that they have communicated the disciplinary process. The disciplinary process must include steps for what happens if staff breach information security.
ISO 27001 Annex A 6.5 Responsibilities after termination or change of employment.
Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.
ISO 27001 Annex A 6.5 Responsibilities after termination or change of employment.
Human Resources plays a crucial role in the off boarding process, particularly concerning information security. Employment and engagement contracts typically contain clauses related to information security, and these should be reiterated during off boarding to ensure departing individuals understand their continuing responsibilities and obligations.
Staff, contractors, and third parties progress through distinct phases in their relationship with an organisation, each potentially requiring different levels and types of communication. While a single communication approach might suffice, it’s more likely that varying styles and methods will be necessary, depending on the individual and their stage in the relationship.
ISO 27001 Clause 7.4 FAQ
The ISO 27001 standard requires an that the organisation shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.
There are minor changes to ISO 27001 Clause 7.4 Communication in the 2022 update. The changes can be seen as a simplification. It removes who shall communicate and replaces it with how to communicate and it completely removes the need to show the processes by which communication shall be effected.
It is our opinion that keeping who and the process of how is good practice but you can, if you wish, not account for it directly.
You evidence compliance to the ISO 27001 Clause 7.4 Communication by having a communication plan that records
a) on what you communicated
b) when you communicated
c) with whom you communicated
d) who communicated it
e) the processes by which communication took place
f) and if possible evidence that you communicated.
You can download ISO 27001 Communication templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 7.4 Communication can be found in the ISO 27001 Toolkit.
The communication plan template for ISO 27001 can be downloaded here.
Yes, you can download an example of an ISO 27001 communication plan here.
