ISO 27001 Information Security - Clause 7.4 Communication
8th August 2022 - ISO 27001 Information Security in plain English - Blog post #13.
ISO 27001 - Clause 7.4 Communication. This article discusses how to determine communications relating to your ISMS (Information Security Management System).
ISO 27001 Information Security in plain English
Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard. However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.
Your organization needs to determine its communications relating to its ISMS. That requirement applies both internally, and also to relevant external parties e.g. suppliers or external providers, customers, regulators, and certifiers. Consideration should be given to:
- What information is to be communicated
- Who will communicate on behalf of your organization
- Who will be the recipient of the communication
- How will the information be communicated
- When or under what circumstances will the communication be made
Planning should consider the communication of system documents such as policies, objectives and procedures and the wider communications needs for your operational and support activities.
Examples of communication
A Project Manager shares drawings and a brief for a specific project with a sub-contractor. The drawings are shared by providing access to a web portal. The drawings and brief are only shared once the contractor has been engaged and signed the organization's NDA (Non-disclosure agreement). Access to the portal is removed once the sub-contractor's involvement in the project is complete. Looking at that example, we have:
- What (the drawings and brief)
- Who does the communicating (the Project Manager)
- Who is the recipient (the sub-contractor)
- How (via the portal)
- When (during the contractor's engagement and after signing the NDA)
An organization's nominated Privacy Officer responds to an enquiry from a client about the handling and storage of their PII (Personally Identifiable Information).
- What (the response)
- Who does the communicating (the Privacy Officer)
- Who is the recipient (the client)
- How (by email - using an approved template)
- When (on receipt of an enquiry and following receipt of legal advice where appropriate)
Essentially, there should be a plan for communications relating to your ISMS. There is no specified requirement for a documented plan, but many organizations find it beneficial to develop one to clarify your own arrangements and business rules. Where appropriate, communications relating to your ISMS may need to comply other policies (such as information classification, privacy, and social media).
We generally recommend that a 'Communications Plan' is developed. That will help to address this clause and also several of the annex controls. A template communications plan is included in our ISO 27001 InfoSec Toolkit - available in Qudos 3 IMS software.
About the series 'ISO 27001 Information Security in plain English'
This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.
This blog series began with an introductory webinar. A copy of the slide deck is available for you here:
Click the LinkedIn Follow button below to receive notifications.
There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.
Ready to start your journey to ISO 27001?
The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.
Contact us today to discuss your needs!