ISO 27001 Clause 7.4 is about communication. It focuses on sharing key parts of your Information Security Management System (ISMS) with the right people. This helps everyone know their role in keeping data safe.
What is ISO 27001 Clause 7.4 Communication?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Communication”.
What is the ISO 27001 Clause 7.4 control objective?
The formal definition and control objective in the standard is: “The organisation shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate“
What is the purpose of ISO 27001 Clause 7.4?
The purpose of ISO 27001 Clause 7.4 is “To to make sure you have an information security communication plan and that you act on that plan.“
Is ISO 27001 Clause 7.4 Mandatory?
ISO 27001 Clause 7.4 (Communication in the 2022 standard) is a mandatory clause in the main body of the standard.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. To continually improve, you need to decide four things about your security communication:
- What to talk about. This includes things like your security rules, goals, and any changes.
- When to share this information. For example, you might share updates once a month or right after a security problem.
- With whom to talk. This means both people inside and outside your company, like staff, customers, and partners.
- How to share the news. You might use emails, meetings, or a company website.
How to Meet the Rule
To meet this rule, you should make a communication plan. This plan should list who needs to know what and how you’ll tell them. It’s a good idea to keep records of your communications. This shows that you are following your plan.
A good communication plan helps everyone understand why security is important. It helps people know what to do if something goes wrong.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will:
- Check your communication plan.
- Look for proof that you actually sent the messages.
- For example, they might ask to see emails or meeting notes.
You can learn more about communication and ISO 27001 by watching this video: ISO 27001 Clause 7.4 Communication Explained.
