ISO 27001 Communication Explained Simply

Home / ISO 27001 Tutorials / ISO 27001 Communication Explained Simply

Introduction

In this tutorial today we are going to look at ISO 27001 Communication.

You will learn

  • What it is ISO 27001 Communication
  • How to implement ISO 27001 Communication
  • Examples of Communications

Watch

If you prefer to watch rather than read you can watch: How to Implement ISO 27001 Communication | Step-by-Step Guide

What it is ISO 27001 Communication?

ISO 27001 communication is about communicating key elements of the information security management system (ISMS) to relevant people. There are things that we have to communicate as part of the ISO 27001 standard and there are things that we really should communicate.

Communication can take many forms form written to verbal communications and all communication methods are available to you based on your style, approach and culture. It is recommended to choose a variety of communication methods to be the most effective. This is based on people responding differently to different styles of communication.

When planning our communications we take into account the following:

  • what to communicate
  • when to communicate
  • with whom to communicate and
  • how to communicate

What to communicate

What you need to communicate is covered in the standard. You may choose to do the bare minimum for communication or to go a step further. The more you communicate the more you will enhance and improve your information security posture.

Key things to communicate include

  • Location of information security policies
  • The information security policies themselves
  • How to report an information security incident or breach
  • Who is the primary contact for information security
  • Information security training
  • Information security management reviews that have a dedicated agenda of what needs to be discussed
  • Information security measures and monitors
  • Information security risks
  • Information security treat intelligence
  • Information security audit planning
  • Continual improvement and changes to the information security management system (ISMS)

When to communicate

There is not set time frame to follow specifically for communications. Many if not all elements will need communicating at least once a year but many aspects can, and should, be communicated more frequently.

Examples of when to communicate include:

  • Management Reviews – Every month, every three months or every six months
  • Location of information security policies – every three months or every six months or annually
  • The information security policies themselves – every three months or every six months or annually
  • How to report an information security incident or breach – every three months or every six months or annually
  • Who is the primary contact for information security – every three months or every six months or annually
  • Information security training – ongoing or every three months or every six months or annually
  • Information security measures and monitors – monthly
  • Information security risks – monthly
  • Information security treat intelligence – monthly
  • Information security audit planning – every month, every three months or every six months
  • Continual improvement and changes to the information security management system (ISMS) – monthly

With whom to communicate

Deciding on who to communicate to is about understanding the needs of people and of the information security management system. Many aspects of communication will be organisation wide such as training. Some communications will be for specific groups such as management reviews, risk, incidents and threat intelligence.

To decide on who to communicate with consider a stake holder analysis that works out who the key stake holders are and what their requirements are. It is actually straight forward once you start to apply the information security management system (ISMS).

How to communicate

There are many methods of communicate that your organisation will have in place. Some of those will be more common such as meetings ( team meetings, company updates, quarterly meetings, personnel reviews ). Other commons communications include the use of email and chat technology. The use of company bulletin type boards such as share point or confluence may also be considered.

Training is very much apart of how you communicate as it will depend on the training method that you deploy. You have the option to conduct training face to face or on a webinar but most common approaches include dedicated training tools.

Formal communications can also play a part in the form of legal contracts and legal agreements with staff and third parties.

When it comes to the how of communication you should consider your organisation culture and the existing communication channels that are in place that you can utilise. Speaking with HR is a great step to seek clarification on the approach to communicating.

ISO 27001 Communication Plan

The way that I would go about satisfying this Clause is to create my communication plan. The communication plan is the most powerful weapon in your armoury when it comes to ISO 27001 communication as it not only demonstrates a plan of well thought out and well laid out communications but it also acts to provide evidence that communications have happened.

ISO 27001 Communication Plan Example

The following is an example ISO 27001 communication plan taken directly from the ISO 27001 communication plan template.

ISO 27001 Communication Plan Example

ISO 27001 Communication Plan Implementation

Within my communication plan you can see that what I am going to record is what message will we communicate, when will we communicate it, how will we communicate it, who will communicate it, who will they communicate it to, did they communicate it and what is the evidence that that communication took place.

There is a little bit above and beyond the requirement of the standard because the standard took a couple of those elements out but for me each one of those elements makes absolute sense and there is no reason to remove it and it’s just going to provide you with benefit and ease when it comes to managing this particular process.

ISO 27001 Communication Plan Template

If you are going to do this yourself you can copy this table or you can download this ISO 27001 communication plan template from the High Table ISO 27001 Template Store. It is part of the ISO 27001 Toolkit but click the image above or slow down the ISO 27001 Communication Video, click the pause button, copy it, type it.

It’ll take you a long time right but that’s an option for you and then get yourself an ISO 27001 communication table.

When I provide you with the template what I’m providing you with is exact examples of common communication.

ISO27001 Communication Plan Template

ISO 27001 Communication Examples

There are common communications that are going to happen as part of your project’s implementation and throughout the year, the annual cycle of your information security management system. What you need to do is you need to think about what that communication is going to look like and then you need to start to record what those communications are and get them planned in.

Let me give you some examples.

Evidence and examples of communication include information security overview training, training people, training the management team especially when you’re doing an implementation in the early stages you’re going to do a lot of communication around what it is, why the organisation is going for it, what the benefits are. So make sure you keep a record of all of those, right, they’re absolutely fantastic when it comes to your audit.

You’re going to give the management review team training, so there is going to be communication on what their role is, about how it operates, what they’re going to be doing. Make sure you have a record of that.

You’re going to be providing training on the ISO 27001 framework, whether you’re showing people one of my ISO 27001 YouTube videos, whether you’re running a session, whether you have a consultant that’s doing it for you, people are going to be communicated to on the framework.

We’re going to communicate a couple of points regularly throughout the year. We’re going to communicate to people where policies are. So, we’re going to communicate to people usually via email or in stand-up meetings verbally, we’re going to say where our policies are and how people access them.

We’re going to communicate to people how they raise an incident if something goes wrong. What is the process, what is the step. Email this email address, telephone this number, do this step but we’re going to communicate that to people in very simple terms.

We’re going to communicate to people who is ultimately responsible in our organisation for information security. Yes, everybody is responsible, yes, everybody is accountable but if you had a problem and you wanted to raise something who is the go-to person, what is the go-to role, we’re going to communicate that. Those are pieces of information we’re going to communicate regularly throughout the year and we’re going to keep evidence of that.

What we’re also potentially going to do is we’re going to communicate how to take a UKAS audit or a an accredited audit. We’re going to communicate to people what it is that’s going to happen as part of that audit process and how they should communicate within that process.

We’re going to communicate to people then things that are technically training at this point. What we’re going to do is we are going to call out to and rely on our information security training tool so yes, we have our communication plan but also we have communication, as in training, built into our training tool and our training technology and we can show that. We can show what the plan is for when our annual information security training is going to take place, when our annual data protection training is going to take place. If we are a remote business and we’ve chosen a remote working module, when that’s going to land. If phishing is something that is prevalent and that we are subject to we may have phishing training, phishing simulation, phishing communication built into our training tool that is going to be included within there as well.

What you can see is we’re going to build up our plan throughout the year for the year ahead and as we go through the year we’re going to populate that.

You will see within the communication plan we put in there our management review team meetings, we forward plan our management review team meetings. One of their purposes is communication. Yes, it is an oversight body but it is also a body that is communicated to, that communicates out and communicates up. So, what we want is the schedule of those management review meetings and when those management review meetings are in as we go throughout the year.

ISO 27001 Communication Summary Conclusion

As I say, populate the register, keep the register up to date, keep your Version Control up to date, keep your evidence of those Communications. Evidence could be screenshots of meeting invites or copies of meeting invites or minutes of meetings or videos or video recordings of Teams meetings and Google Meets – whatever it is that is the evidence that you did that communication be sure that you can lay your hands on that and present that to an auditor come the audit and you are going to be absolutely golden.

So that is ISO 27001 Communication. What it is and how you’re going to tackle it. My name is Stuart Barker. I am the ISO 27001 Ninja. and until the next tutorial, peas out.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing