ISO 27001 clause 7.4 is titled "Communication". It requires organisations to establish, implement and maintain an effective communication process for their information security management system (ISMS). This process should ensure that all relevant information about the ISMS is communicated to all interested parties, both internally and externally.
ISO 27001 Clause 7.4: Communication
The organisation shall determine the need for internal and external communications relevant to the information security management system, including:
- on what to communicate;
- when to communicate;
- with whom to communicate;
- how to communicate
Your ISO 27001 certification process made simple.
Get ISO 27001 certified in as little as 3 months.
What is covered under ISO 27001 clause 7.4?
The following information should be communicated under ISO 27001 clause 7.4:
- The organisation's information security policy and objectives
- The roles and responsibilities of personnel in relation to information security
- The organisation's information security risks and controls
- Any changes to the organisation's information security management system
- Any incidents or breaches of information security
What are the ISO 27001 Changes to Clause 7.4?
The following are the changes to ISO 27001 clause 7.4 in the 2022 version of the standard:
- The requirement to communicate information security risks and controls has been expanded to include all relevant information about the ISMS.
- The requirement to communicate changes to the ISMS has been clarified to include both planned and unplanned changes.
- The requirement to communicate incidents and breaches of information security has been strengthened to emphasise the importance of timely communication.
Get ready for the ISO 27001 audit with up to 75% less workload.
100% first-try pass rate in external audits on ISO 27001
How to comply with clause 7.4
To comply with ISO 27001 clause 7.4, organisations should:
- Develop a communication plan that identifies the information that needs to be communicated, to whom it needs to be communicated, and how it will be communicated.
- Implement the communication plan and monitor its effectiveness.
- Review and update the communication plan as needed.
The communication plan should be tailored to the specific needs of the organisation and should take into account the following factors:
- The size and complexity of the organisation
- The nature of the organisation's information assets
- The organisation's risk appetite
- The culture of the organisation
The communication plan should be documented and should be kept up-to-date.
It should be reviewed and updated as needed, such as when there are changes to the organisation's information security management system or when there are changes to the organisation's risk profile.
The communication plan should be communicated to all relevant personnel and should be made available to all interested parties.
DataGuard helped us get ISO 27001 certified 50% faster.
Reece Couchman
CEO & founder at The SaaSy People
100% first-try pass rate in external audits on ISO 27001
What is a communication plan?
A communication plan is a document that outlines how information about an organisation's information security management system (ISMS) will be communicated to all interested parties. This includes both internal and external parties, such as employees, customers, suppliers, and regulators.
The communication plan should identify:
- The information that needs to be communicated
- The audience for the information
- The methods of communication
- The frequency of communication
- The responsibilities for communication
An internal communication plan is used to communicate information about the ISMS to employees within the organisation. This information could include the organisation's information security policy, procedures, and risks.
An external communication plan is used to communicate information about the ISMS to parties outside of the organisation, such as customers, suppliers, and regulators. This information could include the organisation's commitment to information security, its security controls, and its incident response procedures.
Why is a communication plan essential?
A communication plan is important for the following reasons:
- It ensures that all interested parties are aware of the organisation's information security risks and controls.
- It helps to build trust and confidence with stakeholders.
- It can help to prevent and mitigate information security incidents.
- It can help to improve the organisation's overall information security posture.
Conclusion
ISO 27001 clause 7.4 is an important requirement for ensuring that all relevant information about the organisation's information security management system is communicated to all interested parties.
By following the guidance in this clause, organisations can effectively communicate their information security risks and controls and can ensure that all personnel are aware of their responsibilities in relation to information security.
up to 50%
Cheaper than external consultants
up to 300%
Increase your opt-in rate with Consent & Preference Management
3 months
Get audit-ready in as little as three months
100%
First-try pass rate in external audits on ISO 27001 and TISAX®
Saves up to 100 hours
of manual work to get ISO 27001 certified or TISAX® labels
Customers trust us
P I C
PRIVACY
External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts
INFOSEC
Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit
COMPLIANCE
Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates
ISO 27001:2022 requirements
Trusted and used by companies
TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.