ISO 27001 Communication: Clause 7.4

Home / ISO 27001 Clauses / ISO 27001 Communication: Clause 7.4

ISO 27001 Communication

ISO 27001 communication is making people aware of what is expected of them for information security and consequences of not doing what is expected. It is about planning communications and following the plan.

What is ISO 27001 Clause 7.4?

ISO 27001 Clause 7.4 is communication and it focuses on sharing key aspects of the information security management system (ISMS) with relevant individuals. While certain communications are mandatory under the standard, others are highly recommended for a robust ISMS.

Communication can take various forms, including written and verbal methods. Organisation should leverage a diverse range of communication approaches tailored to their specific style, culture, and target audience. This variety is crucial for maximising effectiveness, as individuals respond differently to various communication styles.

Effective communication offers several key benefits:

Enhanced Security: By informing individuals about risks and providing clear guidance, organisations empower them to make informed decisions, exercise sound judgment, and protect both themselves and the organisation.

Fostering a Culture of Information Security: Training and awareness are fundamental to a strong information security posture. Effective communication, combined with training initiatives, significantly reduces information security risks and incidents.

ISO 27001 Clause 7.4 Definition

ISO 27001 defines ISO 27001 Communication as:

The organisation shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate

ISO 27001:2022 Clause 7.4 Communication

How to implement ISO 27001 Clause 7.4

Key Points

When planning communications take into account the following:

  • what to communicate
  • when to communicate
  • with whom to communicate and
  • how to communicate

Time needed: 1 hour and 30 minutes

How to implement ISO 27001 Clause 7.4 Communication

  1. Write a Communication Plan

    Have a communication plan that documents:
    on what you communicated
    when you communicated
    with whom you communicated
    who communicated it
    the processes by which communication took place
    and if possible evidence that you communicated.

  2. During Onboarding of Staff or Third Parties

    Onboarding should include providing new employees with copies of relevant policies and the employee handbook. A dedicated, face-to-face session should be conducted to explain the organisation’s information security approach. This session should cover the location of key policies, identify those responsible for information security, and detail the process for reporting a security incident. Crucially, the session should clearly articulate how the employee’s role contributes to overall information security and outline their specific responsibilities. New hires should also be enrolled in general information security awareness training and basic GDPR/Data Protection training (either through a training tool or via face-to-face instruction). Attendance and understanding should be documented, with employees signing an acknowledgement of completion.

  3. Throughout the Year

    Plan your communication throughout the year based on risk and business need. As well as the information security and data protection training perhaps people need educating on the risks of home working. Or perhaps on the perils of phishing attacks. The process of communication should be on going. Throughout the year you are going to hold Management Review Meetings that meet the very specific requirements of the ISO 27001 standard and cover a lot of the bases for communicating to senior management.

  4. Annually

    Conduct the general information security awareness training and the general data protection training at least annually. Even it is just a refresher people should formally go through basic training once a year.

  5. On Ending Employment / Engagement

    Ensure that at the end of employment or the end of engagement that you communicate the contractual obligations that are, and will remain, in play in regards to information security.

  6. Continual Improvement

    Continually update your communication plan to respond to known threats, risks and issues.

ISO 27001 Clause 7.4 Implementation Checklist

Communication ISO 27001 Clause 7.4 Implementation Checklist

1. Establish a Communication Plan

Develop a documented communication plan that outlines what information needs to be communicated, to whom, when, and how. This plan should cover both internal and external communications related to the ISMS.

Challenge

Creating a plan that is comprehensive yet flexible enough to adapt to changing circumstances.

Solution

Involve key interested parties in the planning process and build in regular review and update cycles for the plan.

2. Identify Stakeholders

Determine all relevant interested parties, both internal (e.g., employees, management) and external (e.g., customers, suppliers, regulators), who need to receive information about the ISMS.

Challenge

Overlooking certain interested parties or misjudging their communication needs.

Solution

Conduct a thorough stakeholder analysis, considering their roles and responsibilities, and information requirements.

3. Define Communication Objectives

Clearly define the objectives of each communication activity. What do you want to achieve by communicating this information? (e.g., raise awareness, provide training, report on performance).

Challenge

Difficulty in defining measurable communication objectives.

Solution

Use SMART (Specific, Measurable, Achievable, Relevant, Time-bound) criteria to define clear and measurable objectives.

4. Choose Communication Channels

Select appropriate communication channels based on the target audience and the nature of the information. Consider email, intranet, meetings, newsletters, presentations, etc.

Challenge

Choosing the right channel to reach the intended audience effectively.

Solution

Research the communication preferences of different interested parties and use a variety of communication channels to maximise reach.

5. Develop Communication Content

Create clear, concise, and engaging content that is tailored to the target audience. Avoid technical jargon and use language that is easily understood.

Challenge

Creating content that is both informative and engaging, avoiding “information overload.”

Solution

Use visual aids, real-world examples, and storytelling techniques to make the content more appealing and memorable.

6. Establish Communication Frequency

Determine the appropriate frequency for communicating different types of information. Some information may need to be communicated regularly, while other information may be ad-hoc.

Challenge

Finding the right balance between keeping interested parties informed and avoiding “communication fatigue.”

Solution

Develop a communication schedule that outlines the frequency of different types of communication and stick to it.

7. Implement Communication Processes

Establish clear processes for managing communication activities, including drafting, reviewing, approving, and distributing information.

Challenge

Ensuring consistency and accuracy in communication processes.

Solution

Document communication procedures and provide training to staff on how to follow them.

8. Manage Feedback

Establish mechanisms for receiving feedback from interested parties on communication activities. This feedback can be used to improve future communications.

Challenge

Collecting and analysing feedback effectively.

Solution

Use surveys, feedback forms, and other tools to gather feedback, and analyse the data to identify areas for improvement.

9. Document Communication Activities

Maintain records of all communication activities, including the information communicated, the target audience, the communication channel, and the date of communication.

Challenge

Maintaining accurate and up-to-date records.

Solution

Use a centralised platform or system to manage communication records.

10. Review and Improve

Regularly review the effectiveness of communication activities and make adjustments as needed. Consider feedback from interested parties and lessons learned from past communications.

Challenge

Measuring the effectiveness of communication activities.

Solution

Establish clear metrics for measuring communication effectiveness (e.g., reach, engagement, feedback) and track progress over time.

ISO 27001 Clause 7.4 Audit Checklist

How to audit ISO 27001 Clause 7.4 Communication

1. Review the Communication Plan

Verify the existence and adequacy of a documented communication plan, ensuring it covers both internal and external communication related to the ISMS.

  • Examine the communication plan document for completeness, clarity, and alignment with the ISMS objectives.
  • Interview the individual responsible for maintaining the plan.

2. Identify Stakeholder Coverage

Confirm that all relevant interested parties have been identified and their communication needs considered in the plan.

  • Review the interested parties analysis documentation.
  • Interview representatives from different interested parties to validate their communication needs are being met.

3. Evaluate Communication Objectives

Assess whether communication objectives are clearly defined, measurable, and aligned with the overall ISMS goals.

  • Examine the communication plan and individual communication activity documentation for clearly stated objectives.
  • Interview management to understand the intended outcomes of communication activities.

4. Check Communication Channel Selection

Verify that appropriate communication channels are being used to reach different interested parties effectively.

  • Review the communication plan and examples of communication materials.
  • Interview interested parties to gauge their satisfaction with the chosen communication channels.

5. Assess Content Quality

Evaluate the clarity, conciseness, and relevance of communication content.

  • Review examples of communication materials (e.g., emails, newsletters, presentations) for clarity, accuracy, and appropriate tone.
  • Interview interested parties for their feedback on the quality of information received.

6. Verify Communication Frequency

Determine if the frequency of communication is appropriate for different types of information and target audiences.

  • Review the communication schedule and interview interested parties to assess if the frequency of communication is adequate, avoiding both under- and over-communication.

7. Inspect Communication Processes

Check if documented processes are in place for managing communication activities, including drafting, reviewing, approving, and distributing information.

  • Examine documented communication procedures.
  • Interview staff involved in communication activities to verify their understanding and adherence to the procedures.

8. Evaluate Feedback Mechanisms

Verify that mechanisms are in place for receiving feedback from interested parties and that this feedback is used to improve future communications.

  • Review records of feedback received (e.g., survey results, feedback forms).
  • Interview the individual responsible for managing feedback and how it is used to improve communication.

9. Inspect Communication Records

Ensure that adequate records of communication activities are maintained, including what was communicated, to whom, when, and how.

  • Review communication logs, distribution lists, and other relevant records.
  • Verify the completeness and accuracy of the records.

10. Assess Communication Effectiveness

Evaluate the overall effectiveness of communication activities in achieving their intended objectives.

  • Review reports on communication effectiveness (e.g., metrics related to reach, engagement, and feedback).
  • Interview management and interested parties to gauge their perception of communication effectiveness.

ISO 27001 Communication Examples

There are common communications that are going to happen as part of your project’s implementation and throughout the year, the annual cycle of your information security management system.

Evidence and examples of communication include

  • information security overview training
  • training people
  • training the management team
  • training on the ISO 27001 framework
  • where policies are
  • how they raise an incident if something goes wrong
  • who is ultimately responsible in our organisation for information security.
  • how to take an audit
  • technical training

ISO 27001 Communication Plan Example

ISO 27001 Communication Plan Example

Approaches to Communicating

There are numerous ways to communicate and raise awareness, and the most effective methods will depend on your company culture and available tools. Consider the approaches that have proven successful for your organisation and, where possible, retain evidence of your communications.

While email is a useful tool, other options include stand-up meetings, presentations at company-wide gatherings, and even bringing in external experts. There’s no single, universally applicable solution.

Regardless of the methods you choose, document them in your communication plan.

What to communicate

What you need to communicate is covered in the standard. You may choose to do the bare minimum for communication or to go a step further. The more you communicate the more you will enhance and improve your information security posture.

Key things to communicate include

  • Location of information security policies
  • The information security policies themselves
  • How to report an information security incident or breach
  • Who is the primary contact for information security
  • Information security training
  • Information security management reviews that have a dedicated agenda of what needs to be discussed
  • Information security measures and monitors
  • Information security risks
  • Information security treat intelligence
  • Information security audit planning
  • Continual improvement and changes to the information security management system (ISMS)

When to communicate

There’s no prescribed timeframe for all ISMS communications. While many, if not all, elements should be communicated at least annually, numerous aspects can, and often should, be communicated more frequently.

Examples of situations requiring communication include:

  • Management Reviews – Every month, every three months or every six months
  • Location of information security policies – every three months or every six months or annually
  • The information security policies themselves – every three months or every six months or annually
  • How to report an information security incident or breach – every three months or every six months or annually
  • Who is the primary contact for information security – every three months or every six months or annually
  • Information security training – ongoing or every three months or every six months or annually
  • Information security measures and monitors – monthly
  • Information security risks – monthly
  • Information security treat intelligence – monthly
  • Information security audit planning – every month, every three months or every six months
  • Continual improvement and changes to the information security management system (ISMS) – monthly

With whom to communicate

Determining the appropriate recipients for communication involves understanding both individual needs and the requirements of the information security management system (ISMS). While some communications, such as training, will be organisation-wide, others will be targeted at specific groups, like management reviews, risk assessments, incident response teams, and threat intelligence units.

A stakeholder analysis is a valuable tool for identifying key stakeholders and their respective information needs. This process, while seemingly complex initially, becomes straightforward as the ISMS is implemented and its requirements are clarified.

How to communicate

Organisations typically employ a variety of communication methods. Common approaches include meetings (team meetings, company updates, quarterly reviews, and personnel reviews), email, and instant messaging platforms. Company bulletin boards, such as SharePoint or Confluence, are also frequently used.

Training itself is a form of communication, and the chosen delivery method (face-to-face, webinar, or via dedicated training tools) impacts how information is conveyed.

Formal communications, such as legal contracts and agreements with staff and third parties, also play a significant role.

When determining the most effective communication strategies, organisations should consider their existing culture and established communication channels. Consulting with HR is highly recommended to gain insights into preferred communication approaches.

Watch the Tutorial

Watch the ISO 27001 Tutorial – How to Implement ISO 27001 Clause 7.4 Communication

ISO 27001 communication plan template

ISO27001 Communication Plan Template

ISO 27001 training and awareness policy template

ISO27001 Training and Awareness Policy-Black

How to comply

Having a communication plan that records what you communicated, when, to whom and the evidence that you did is the main part of showing compliance to the clause.

ISO 27001 Clause 7.4 FAQ

What is ISO 27001 Clause 7.4 Communication?

The ISO 27001 standard requires an that the organisation shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.

What are the ISO 27001:2022 Changes to Clause 7.4?

There are minor changes to ISO 27001 Clause 7.4 Communication in the 2022 update. The changes can be seen as a simplification. It removes who shall communicate and replaces it with how to communicate and it completely removes the need to show the processes by which communication shall be effected.
It is our opinion that keeping who and the process of how is good practice but you can, if you wish, not account for it directly.

How do I evidence I meet the requirement of ISO 27001 Communication?

You evidence compliance to the ISO 27001 Clause 7.4 Communication by having a communication plan that records
a) on what you communicated
b) when you communicated
c) with whom you communicated
d) who communicated it
e) the processes by which communication took place
f) and if possible evidence that you communicated.

Where can I download ISO 27001 Communication templates?

You can download ISO 27001 Communication templates in the ISO 27001 Toolkit.

ISO 27001 Clause 7.4 Communication example?

An example of ISO 27001 Clause 7.4 Communication can be found in the ISO 27001 Toolkit.

Download a copy of an ISO 27001 communication plan template?

The communication plan template for ISO 27001 can be downloaded here.

Is there an example of an ISO 27001 communication plan?

Yes, you can download an example of an ISO 27001 communication plan here.

About the author

I am Stuart Barker the ISO 27001 Ninja.

You can connect with me on Linked In, stalk me, check me out and join my network.

I am an information security practitioner of over 30 years. I hold a Software Engineering degree and started my career in software development. In 2010 I started my first cyber security consulting business that I sold in 2018. I worked for over a decade for GE, leading a data governance team across Europe and since then have gone on to deliver hundreds of client engagements and audits.

I regularly mentor and train professionals on information security and run a successful ISO 27001 YouTube channel where I show people how they can do it themselves. I am passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In my personal life I am active and a hobbyist kickboxer.

My specialisms are ISO 27001 and SOC 2 and my niche is start up and early stage business.

Share to...