ISO 27001 Communication
ISO 27001 communication is making people aware of what is expected of them for information security and consequences of not doing what is expected. It is about planning communications and following the plan.
Table of contents
- ISO 27001 Communication
- What is ISO 27001 Clause 7.4?
- How to implement ISO 27001 Clause 7.4
- ISO 27001 Clause 7.4 Implementation Checklist
- ISO 27001 Clause 7.4 Audit Checklist
- ISO 27001 Communication Examples
- ISO 27001 Communication Plan Example
- Approaches to Communicating
- What to communicate
- When to communicate
- With whom to communicate
- How to communicate
- Watch the Tutorial
- ISO 27001 communication plan template
- ISO 27001 training and awareness policy template
- How to comply
- ISO 27001 Clause 7.4 FAQ
What is ISO 27001 Clause 7.4?
ISO 27001 Clause 7.4 is communication and it focuses on sharing key aspects of the information security management system (ISMS) with relevant individuals. While certain communications are mandatory under the standard, others are highly recommended for a robust ISMS.
Communication can take various forms, including written and verbal methods. Organisation should leverage a diverse range of communication approaches tailored to their specific style, culture, and target audience. This variety is crucial for maximising effectiveness, as individuals respond differently to various communication styles.
Effective communication offers several key benefits:
Enhanced Security: By informing individuals about risks and providing clear guidance, organisations empower them to make informed decisions, exercise sound judgment, and protect both themselves and the organisation.
Fostering a Culture of Information Security: Training and awareness are fundamental to a strong information security posture. Effective communication, combined with training initiatives, significantly reduces information security risks and incidents.
ISO 27001 Clause 7.4 Definition
ISO 27001 defines ISO 27001 Communication as:
The organisation shall determine the need for internal and external communications relevant to the information security management system including:
ISO 27001:2022 Clause 7.4 Communication
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate
How to implement ISO 27001 Clause 7.4
Key Points
When planning communications take into account the following:
- what to communicate
- when to communicate
- with whom to communicate and
- how to communicate
Time needed: 1 hour and 30 minutes
How to implement ISO 27001 Clause 7.4 Communication
- Write a Communication Plan
Have a communication plan that documents:
on what you communicated
when you communicated
with whom you communicated
who communicated it
the processes by which communication took place
and if possible evidence that you communicated. - During Onboarding of Staff or Third Parties
Onboarding should include providing new employees with copies of relevant policies and the employee handbook. A dedicated, face-to-face session should be conducted to explain the organisation’s information security approach. This session should cover the location of key policies, identify those responsible for information security, and detail the process for reporting a security incident. Crucially, the session should clearly articulate how the employee’s role contributes to overall information security and outline their specific responsibilities. New hires should also be enrolled in general information security awareness training and basic GDPR/Data Protection training (either through a training tool or via face-to-face instruction). Attendance and understanding should be documented, with employees signing an acknowledgement of completion.
- Throughout the Year
Plan your communication throughout the year based on risk and business need. As well as the information security and data protection training perhaps people need educating on the risks of home working. Or perhaps on the perils of phishing attacks. The process of communication should be on going. Throughout the year you are going to hold Management Review Meetings that meet the very specific requirements of the ISO 27001 standard and cover a lot of the bases for communicating to senior management.
- Annually
Conduct the general information security awareness training and the general data protection training at least annually. Even it is just a refresher people should formally go through basic training once a year.
- On Ending Employment / Engagement
Ensure that at the end of employment or the end of engagement that you communicate the contractual obligations that are, and will remain, in play in regards to information security.
- Continual Improvement
Continually update your communication plan to respond to known threats, risks and issues.
ISO 27001 Clause 7.4 Implementation Checklist
Communication ISO 27001 Clause 7.4 Implementation Checklist
1. Establish a Communication Plan
Develop a documented communication plan that outlines what information needs to be communicated, to whom, when, and how. This plan should cover both internal and external communications related to the ISMS.
Challenge
Creating a plan that is comprehensive yet flexible enough to adapt to changing circumstances.
Solution
Involve key interested parties in the planning process and build in regular review and update cycles for the plan.
2. Identify Stakeholders
Determine all relevant interested parties, both internal (e.g., employees, management) and external (e.g., customers, suppliers, regulators), who need to receive information about the ISMS.
Challenge
Overlooking certain interested parties or misjudging their communication needs.
Solution
Conduct a thorough stakeholder analysis, considering their roles and responsibilities, and information requirements.
3. Define Communication Objectives
Clearly define the objectives of each communication activity. What do you want to achieve by communicating this information? (e.g., raise awareness, provide training, report on performance).
Challenge
Difficulty in defining measurable communication objectives.
Solution
Use SMART (Specific, Measurable, Achievable, Relevant, Time-bound) criteria to define clear and measurable objectives.
4. Choose Communication Channels
Select appropriate communication channels based on the target audience and the nature of the information. Consider email, intranet, meetings, newsletters, presentations, etc.
Challenge
Choosing the right channel to reach the intended audience effectively.
Solution
Research the communication preferences of different interested parties and use a variety of communication channels to maximise reach.
5. Develop Communication Content
Create clear, concise, and engaging content that is tailored to the target audience. Avoid technical jargon and use language that is easily understood.
Challenge
Creating content that is both informative and engaging, avoiding “information overload.”
Solution
Use visual aids, real-world examples, and storytelling techniques to make the content more appealing and memorable.
6. Establish Communication Frequency
Determine the appropriate frequency for communicating different types of information. Some information may need to be communicated regularly, while other information may be ad-hoc.
Challenge
Finding the right balance between keeping interested parties informed and avoiding “communication fatigue.”
Solution
Develop a communication schedule that outlines the frequency of different types of communication and stick to it.
7. Implement Communication Processes
Establish clear processes for managing communication activities, including drafting, reviewing, approving, and distributing information.
Challenge
Ensuring consistency and accuracy in communication processes.
Solution
Document communication procedures and provide training to staff on how to follow them.
8. Manage Feedback
Establish mechanisms for receiving feedback from interested parties on communication activities. This feedback can be used to improve future communications.
Challenge
Collecting and analysing feedback effectively.
Solution
Use surveys, feedback forms, and other tools to gather feedback, and analyse the data to identify areas for improvement.
9. Document Communication Activities
Maintain records of all communication activities, including the information communicated, the target audience, the communication channel, and the date of communication.
Challenge
Maintaining accurate and up-to-date records.
Solution
Use a centralised platform or system to manage communication records.
10. Review and Improve
Regularly review the effectiveness of communication activities and make adjustments as needed. Consider feedback from interested parties and lessons learned from past communications.
Challenge
Measuring the effectiveness of communication activities.
Solution
Establish clear metrics for measuring communication effectiveness (e.g., reach, engagement, feedback) and track progress over time.
ISO 27001 Clause 7.4 Audit Checklist
How to audit ISO 27001 Clause 7.4 Communication
1. Review the Communication Plan
Verify the existence and adequacy of a documented communication plan, ensuring it covers both internal and external communication related to the ISMS.
- Examine the communication plan document for completeness, clarity, and alignment with the ISMS objectives.
- Interview the individual responsible for maintaining the plan.
2. Identify Stakeholder Coverage
Confirm that all relevant interested parties have been identified and their communication needs considered in the plan.
- Review the interested parties analysis documentation.
- Interview representatives from different interested parties to validate their communication needs are being met.
3. Evaluate Communication Objectives
Assess whether communication objectives are clearly defined, measurable, and aligned with the overall ISMS goals.
- Examine the communication plan and individual communication activity documentation for clearly stated objectives.
- Interview management to understand the intended outcomes of communication activities.
4. Check Communication Channel Selection
Verify that appropriate communication channels are being used to reach different interested parties effectively.
- Review the communication plan and examples of communication materials.
- Interview interested parties to gauge their satisfaction with the chosen communication channels.
5. Assess Content Quality
Evaluate the clarity, conciseness, and relevance of communication content.
- Review examples of communication materials (e.g., emails, newsletters, presentations) for clarity, accuracy, and appropriate tone.
- Interview interested parties for their feedback on the quality of information received.
6. Verify Communication Frequency
Determine if the frequency of communication is appropriate for different types of information and target audiences.
- Review the communication schedule and interview interested parties to assess if the frequency of communication is adequate, avoiding both under- and over-communication.
7. Inspect Communication Processes
Check if documented processes are in place for managing communication activities, including drafting, reviewing, approving, and distributing information.
- Examine documented communication procedures.
- Interview staff involved in communication activities to verify their understanding and adherence to the procedures.
8. Evaluate Feedback Mechanisms
Verify that mechanisms are in place for receiving feedback from interested parties and that this feedback is used to improve future communications.
- Review records of feedback received (e.g., survey results, feedback forms).
- Interview the individual responsible for managing feedback and how it is used to improve communication.
9. Inspect Communication Records
Ensure that adequate records of communication activities are maintained, including what was communicated, to whom, when, and how.
- Review communication logs, distribution lists, and other relevant records.
- Verify the completeness and accuracy of the records.
10. Assess Communication Effectiveness
Evaluate the overall effectiveness of communication activities in achieving their intended objectives.
- Review reports on communication effectiveness (e.g., metrics related to reach, engagement, and feedback).
- Interview management and interested parties to gauge their perception of communication effectiveness.
ISO 27001 Communication Examples
There are common communications that are going to happen as part of your project’s implementation and throughout the year, the annual cycle of your information security management system.
Evidence and examples of communication include
- information security overview training
- training people
- training the management team
- training on the ISO 27001 framework
- where policies are
- how they raise an incident if something goes wrong
- who is ultimately responsible in our organisation for information security.
- how to take an audit
- technical training
ISO 27001 Communication Plan Example
Approaches to Communicating
There are numerous ways to communicate and raise awareness, and the most effective methods will depend on your company culture and available tools. Consider the approaches that have proven successful for your organisation and, where possible, retain evidence of your communications.
While email is a useful tool, other options include stand-up meetings, presentations at company-wide gatherings, and even bringing in external experts. There’s no single, universally applicable solution.
Regardless of the methods you choose, document them in your communication plan.
What to communicate
What you need to communicate is covered in the standard. You may choose to do the bare minimum for communication or to go a step further. The more you communicate the more you will enhance and improve your information security posture.
Key things to communicate include
- Location of information security policies
- The information security policies themselves
- How to report an information security incident or breach
- Who is the primary contact for information security
- Information security training
- Information security management reviews that have a dedicated agenda of what needs to be discussed
- Information security measures and monitors
- Information security risks
- Information security treat intelligence
- Information security audit planning
- Continual improvement and changes to the information security management system (ISMS)
When to communicate
There’s no prescribed timeframe for all ISMS communications. While many, if not all, elements should be communicated at least annually, numerous aspects can, and often should, be communicated more frequently.
Examples of situations requiring communication include:
- Management Reviews – Every month, every three months or every six months
- Location of information security policies – every three months or every six months or annually
- The information security policies themselves – every three months or every six months or annually
- How to report an information security incident or breach – every three months or every six months or annually
- Who is the primary contact for information security – every three months or every six months or annually
- Information security training – ongoing or every three months or every six months or annually
- Information security measures and monitors – monthly
- Information security risks – monthly
- Information security treat intelligence – monthly
- Information security audit planning – every month, every three months or every six months
- Continual improvement and changes to the information security management system (ISMS) – monthly
With whom to communicate
Determining the appropriate recipients for communication involves understanding both individual needs and the requirements of the information security management system (ISMS). While some communications, such as training, will be organisation-wide, others will be targeted at specific groups, like management reviews, risk assessments, incident response teams, and threat intelligence units.
A stakeholder analysis is a valuable tool for identifying key stakeholders and their respective information needs. This process, while seemingly complex initially, becomes straightforward as the ISMS is implemented and its requirements are clarified.
How to communicate
Organisations typically employ a variety of communication methods. Common approaches include meetings (team meetings, company updates, quarterly reviews, and personnel reviews), email, and instant messaging platforms. Company bulletin boards, such as SharePoint or Confluence, are also frequently used.
Training itself is a form of communication, and the chosen delivery method (face-to-face, webinar, or via dedicated training tools) impacts how information is conveyed.
Formal communications, such as legal contracts and agreements with staff and third parties, also play a significant role.
When determining the most effective communication strategies, organisations should consider their existing culture and established communication channels. Consulting with HR is highly recommended to gain insights into preferred communication approaches.
Watch the Tutorial
Watch the ISO 27001 Tutorial – How to Implement ISO 27001 Clause 7.4 Communication
ISO 27001 communication plan template
ISO 27001 training and awareness policy template
How to comply
Having a communication plan that records what you communicated, when, to whom and the evidence that you did is the main part of showing compliance to the clause.
ISO 27001 Clause 7.4 FAQ
The ISO 27001 standard requires an that the organisation shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.
There are minor changes to ISO 27001 Clause 7.4 Communication in the 2022 update. The changes can be seen as a simplification. It removes who shall communicate and replaces it with how to communicate and it completely removes the need to show the processes by which communication shall be effected.
It is our opinion that keeping who and the process of how is good practice but you can, if you wish, not account for it directly.
You evidence compliance to the ISO 27001 Clause 7.4 Communication by having a communication plan that records
a) on what you communicated
b) when you communicated
c) with whom you communicated
d) who communicated it
e) the processes by which communication took place
f) and if possible evidence that you communicated.
You can download ISO 27001 Communication templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 7.4 Communication can be found in the ISO 27001 Toolkit.
The communication plan template for ISO 27001 can be downloaded here.
Yes, you can download an example of an ISO 27001 communication plan here.