ISO 27001:2022 Clause 7.4: Communication

ISO27001-2022 Clause 7.4 Communication

The Definitive Governance Requirement.

Clause 7.4 mandates that you determine the internal and external communications relevant to the Information Security Management System (ISMS). This is not about sending newsletters; it is about controlling the flow of critical information. In a crisis, the difference between a minor incident and a reputational catastrophe is often the quality of communication.

The Mandate

The standard requires absolute precision. You cannot communicate “ad hoc.” You must have a defined protocol for the dissemination of information.

For every piece of information security data, you must define:

  1. What to communicate. (e.g., A breach notification, a policy update).
  2. When to communicate. (e.g., “Within 72 hours of discovery” or “Quarterly”).
  3. With Whom to communicate. (e.g., The ICO, the Clients, the Board).
  4. Who communicates. (e.g., Only the CEO speaks to the press; only the DPO speaks to the Regulator).
  5. The Process (How) to communicate. (e.g., Encrypted email, certified mail, secure portal).

The Verdict: If a junior engineer tweets about a server outage before the PR team has drafted a statement, you have failed Clause 7.4.

The Implementation Strategy

You need a Communication Matrix. Do not rely on memory.

  1. Internal Channels: Define how you talk to your staff. How do you push policy updates? How do they report incidents to you? Is there a Slack channel? A hotline? Formalize it.
  2. External Obligations: Review your contracts and regulations (Clause 4.2). If you have a 24-hour notification clause with a bank, that goes in the Matrix.
  3. Crisis Protocol: This is the most critical element. Pre-draft your breach notification templates. When the house is on fire, you do not want to be arguing over grammar.
  4. The “Kill Switch”: Establish clearly who has the authority to stop communication to prevent data leakage during an investigation.

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “The Silent Vacuum.” We often ask: “Who is authorized to speak to law enforcement regarding a cybercrime event?”

If the answer is “We haven’t decided,” or “Probably the IT Manager,” you are exposed. You need a documented hierarchy of authority. The wrong person saying the wrong thing to a regulator is a liability event.

Required Evidence

An auditor looks for the plan and the proof of execution.

  • The Communication Plan/Matrix: A formal document answering the “5 Whys” of communication.
  • Incident Response Plans: Specifically the communication sub-section.
  • Evidence of Communication: Saved emails, Intranet screenshots, or meeting minutes showing that security information is actually flowing.
  • NDA / Confidentiality Agreements: Proof that you have established legal boundaries for external communication.

Strategic Acceleration

Building a communication matrix that covers every regulatory eventuality is complex.

The Hightable™ Communication Plan is pre-loaded with the standard communication requirements for ISO 27001, GDPR, and general best practice. It provides the structure so you can simply assign the owners.

The Next Move: Deploy the Communication Matrix