ISO 27001 Clause 7.4 is about communication. It focuses on sharing key parts of your Information Security Management System (ISMS) with the right people. This helps everyone know their role in keeping data safe.
What Is Required?
This rule asks you to decide four things about your security communication:
- What to talk about. This includes things like your security rules, goals, and any changes.
- When to share this information. For example, you might share updates once a month or right after a security problem.
- With whom to talk. This means both people inside and outside your company, like staff, customers, and partners.
- How to share the news. You might use emails, meetings, or a company website.
How to Meet the Rule
To meet this rule, you should make a communication plan. This plan should list who needs to know what and how you’ll tell them. It’s a good idea to keep records of your communications. This shows that you are following your plan.
A good communication plan helps everyone understand why security is important. It helps people know what to do if something goes wrong.
Frequently Asked Questions
An auditor will check your communication plan. They will also look for proof that you actually sent the messages. For example, they might ask to see emails or meeting notes.
While a plan is not required, it is a great idea. It helps you keep track of what you need to share.
The main idea of the rule has not changed. The 2022 version just makes the wording clearer.
Here is a video from YouTube that can help you: ISO 27001 Clause 7.4 Communication Explained. This video explains what the clause is and how to implement it.