ISO 27001 Information Security - Clause 7.4 Communication

7.4 Communication

Your organization needs to determine its communications relating to its ISMS. That requirement applies both internally, and also to relevant external parties e.g. suppliers or external providers, customers, regulators, and certifiers. Consideration should be given to:

• What information is to be communicated
• Who will communicate on behalf of your organization
• Who will be the recipient of the communication
• How will the information be communicated
• When or under what circumstances will the communication be made

Planning should consider the communication of system documents such as policies, objectives and procedures and the wider communications needs for your operational and support activities.

Examples of communication

1

A Project Manager shares drawings and a brief for a specific project with a sub-contractor. The drawings are shared by providing access to a web portal. The drawings and brief are only shared once the contractor has been engaged and signed the organization's NDA (Non-disclosure agreement). Access to the portal is removed once the sub-contractor's involvement in the project is complete. Looking at that example, we have:

• What (the drawings and brief)
• Who does the communicating (the Project Manager)
• Who is the recipient (the sub-contractor)
• How (via the portal)
• When (during the contractor's engagement and after signing the NDA)

2

An organization's nominated Privacy Officer responds to an enquiry from a client about the handling and storage of their PII (Personally Identifiable Information).

• What (the response)
• Who does the communicating (the Privacy Officer)
• Who is the recipient (the client)
• How (by email - using an approved template)
• When (on receipt of an enquiry and following receipt of legal advice where appropriate)

Essentially, there should be a plan for communications relating to your ISMS. There is no specified requirement for a documented plan, but many organizations find it beneficial to develop one to clarify your own arrangements and business rules. Where appropriate, communications relating to your ISMS may need to comply other policies (such as information classification, privacy, and social media).

We generally recommend that a 'Communications Plan' is developed. That will help to address this clause and also several of the annex controls. A template communications plan is included in our ISO 27001 InfoSec Toolkit - available in Qudos 3 IMS software.