What is covered under ISO 27001 Clause 7.4
As with other parts of the ISMS there are opportunities to get joined up and demonstrate the information security management system, in particular its communication requirements are a cohesive integrated part of the organisation communication, education, training and awareness processes. This clause 7.4 also dovetails with Annex A 6 for people controls security where the requirements around communication start with HR security screening, go into information security terms for employment contracts, disciplinary processes and after role changes or exit. The most significant integration for HR security is with A 6.3 where there is a control for information security awareness, education and training.
ISO 27001 is looking for the following things in this clause:
- what to communicate about the ISMS
- when that will be communicated
- who will be a party to that communication
- who does the communication
- how that all happens i.e. what systems and processes will be used to demonstrate it happens and is effective
Specifically ISO 27001: 2022 A.6.3 control requires that "All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function." That control, taken with the requirement in clause 7.4 of the main ISO 27001 requirements to demonstrate 'how' and how effective communication is, along with the need for senior management to actually protect their organisation not just tick a box, means that dynamic and assured communication for confidence in compliance is required.
Who needs to be considered in the communication of ISO 27001 and what communications are they likely to be interested in?
The starting point for this should be the work done in 4.2, looking at the interested parties and looking back to understand their needs and requirements for communication, which would obviously align with their position on the stakeholder map and the underlying issues and concerns they'd have about its performance. As before one size will not fit all in terms of what, why and how the communications takes place. For example a 'keep satisfied' interested party like the UK Information Commissioner for showing compliance with Data Protection Act and GDPR will only want to know two things: a) are you registered as a data controller and or processor; and b) when you have experienced a security incident that creates losses or potential consequences falls within their scope of interest.
Other keep satisfied stakeholders are likely to be powerful customers, and also external auditors for ISO 27001 especially if independent UKAS or similar certification is being considered. They want to take confidence that the ISMS is performing well and have that regular information assurance that comes from surveillance audits and perhaps the right of audit at times of their choosing, as well as being kept informed of material changes or incidents.
Key players and keep informed stakeholders such as senior management, staff or intimately involved suppliers who were accessing your most valuable information assets need to be engaged and aware of much more about the information security management system.
Things that would need consideration here include:
- What information security means to the organisation and its benefits as well as the consequences
- Awareness of the key language terms and examples of good and bad confidentiality, integrity and availability that are meaningful for them
- The organisation's information security policies and controls that affect their job and those working around them
- What to do in the event of an incident, event or weakness that they are first to identify
- What to do when something has happened elsewhere in the organisation and they need to take action to remain protected
- General updates and dynamic communications that are relevant to their role (beyond policies and controls)
How to ensure that communication and compliance is achieved for ISO 27001 and ISMS success
Whilst an external auditor undertaking ISO 27001 certification will look carefully for evidence of the communications above, the more significant business issue is more about the stakeholders not being aware or not complying with the communications. That could quickly lead to a serious information security incident and major losses, especially if around personal data where GDPR fines and major reputational damage was under consideration.
It is likely most organisations already have channels for communication; face to face working, team days, email, intranet and other means for engaging staff. We recommend any and all of these are considered if those habits are well built up for staff and they will respond to them. However when you already receive too many emails, drift off in team teleconferences, will the exciting ISMS communications reach the spot and deliver the outcome you need?
The challenge for most organisations is the inability to cost effectively evidence that communication has taken place and that compliance is assured across the internal and external supply chain of key stakeholders. Internal audits in line with clause 9.2 are a great help in that, however are generally infrequent and very costly for anything other than sample size audits and do not generally keep pace with the rapid changes in information security risks and especially cyber security issues.
Auditors are now looking much more closely at these areas of communication given the increasing consequences from failure. Smart customers and shareholders are also giving much more consideration beyond the ISO certificate, beyond the statement of applicability and the scope, into the requirements for more dynamic monitoring of information security updates and compliance assurance. People based compliance is moving much more closely towards the technology and digital system monitoring already seen in the likes of firewalls, antivirus real time monitoring services.