What is covered under ISO 27001 Clause 7.4
ISO IEC 27001 clause 7.4 has 5 short bullet points about communication but their importance to the ISMS outcomes is arguably more significant than any other requirement of the information security management system. After all it is no good having a world class best practice information security management system that is only understood by the information security expert in the organisation!
As with other parts of the ISMS there are opportunities to get joined up and demonstrate the information security management system, in particular its communication requirements are a cohesive integrated part of the organisation communication, education, training and awareness processes. This clause 7.4 also dovetails with Annex A 7 for human resource security where the requirements around communication start with HR security screening, go into information security terms for employment contracts, disciplinary processes and after role changes or exit. The most significant integration for HR security is with A 7.2.2 where there is a control for information security awareness, education and training.
ISO 27001 is looking for the following things in this clause:
- what to communicate about the ISMS
- when that will be communicated
- who will be a party to that communication
- who does the communication
- how that all happens i.e. what systems and processes will be used to demonstrate it happens and is effective
Specifically ISO 27001: 2013 A.7.2.2 control requires that “All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.” That control, taken with the requirement in clause 7.4 of the main ISO 27001 requirements to demonstrate ‘how’ and how effective communication is, along with the need for senior management to actually protect their organisation not just tick a box, means that dynamic and assured communication for confidence in compliance is required.
Who needs to be considered in the communication of ISO 27001 and what communications are they likely to be interested in?
The starting point for this should be the work done in 4.2, looking at the interested parties and looking back to understand their needs and requirements for communication, which would obviously align with their position on the stakeholder map and the underlying issues and concerns they’d have about its performance. As before one size will not fit all in terms of what, why and how the communications takes place. For example a ‘keep satisfied’ interested party like the UK Information Commissioner for showing compliance with Data Protection Act and GDPR will only want to know two things: a) are you registered as a data controller and or processor; and b) when you have experienced a security incident that creates losses or potential consequences falls within their scope of interest.
Other keep satisfied stakeholders are likely to be powerful customers, and also external auditors for ISO 27001 especially if independent UKAS or similar certification is being considered. They want to take confidence that the ISMS is performing well and have that regular information assurance that comes from surveillance audits and perhaps the right of audit at times of their choosing, as well as being kept informed of material changes or incidents.
Key players and keep informed stakeholders such as senior management, staff or intimately involved suppliers who were accessing your most valuable information assets need to be engaged and aware of much more about the information security management system.
Things that would need consideration here include:
- What information security means to the organisation and its benefits as well as the consequences
- Awareness of the key language terms and examples of good and bad confidentiality, integrity and availability that are meaningful for them
- The organisation’s information security policies and controls that affect their job and those working around them
- What to do in the event of an incident, event or weakness that they are first to identify
- What to do when something has happened elsewhere in the organisation and they need to take action to remain protected
- General updates and dynamic communications that are relevant to their role (beyond policies and controls)
How to ensure that communication and compliance is achieved for ISO 27001 and ISMS success
Whilst an external auditor undertaking ISO 27001 certification will look carefully for evidence of the communications above, the more significant business issue is more about the stakeholders not being aware or not complying with the communications. That could quickly lead to a serious information security incident and major losses, especially if around personal data where GDPR fines and major reputational damage was under consideration.
It is likely most organisations already have channels for communication; face to face working, team days, email, intranet and other means for engaging staff. We recommend any and all of these are considered if those habits are well built up for staff and they will respond to them. However when you already receive too many emails, drift off in team teleconferences, will the exciting ISMS communications reach the spot and deliver the outcome you need?
The challenge for most organisations is the inability to cost effectively evidence that communication has taken place and that compliance is assured across the internal and external supply chain of key stakeholders. Internal audits in line with clause 9.2 are a great help in that, however are generally infrequent and very costly for anything other than sample size audits and do not generally keep pace with the rapid changes in information security risks and especially cyber security issues.
Auditors are now looking much more closely at these areas of communication given the increasing consequences from failure. Smart customers and shareholders are also giving much more consideration beyond the ISO certificate, beyond the statement of applicability and the scope, into the requirements for more dynamic monitoring of information security updates and compliance assurance. People based compliance is moving much more closely towards the technology and digital system monitoring already seen in the likes of firewalls, antivirus real time monitoring services.
How ISMS.online helps with information security management systems communication for clause 7.4 and A7.2.2
At its heart, ISMS.online is a communications and collaboration platform so it gets a good head start on old fashioned static recording systems that used to be popular for ISMS and Governance Regulation and Compliance (GRC) style systems. It also distributes information by email to end-users too which is great for simple updates and awareness, so it fits into that habit-based way of communicating. Anything required for more detailed compliance work such as evidence a commitment to doing something e.g. reading a policy brings users back onto the platform where the forensic audit trail and evidence wows auditors and saves huge amounts of time for ISMS administrators, who in turn can communicate with confidence back to senior management.
The platform serves the different stakeholder groups very well with its ease of use and focused workspaces that are all auditable and evidence-based in line with the requirements of the standard.
Achieving communication confidence for powerful customers, senior management and external auditors
Specifically developed in close collaboration with end-users a major part of the feature set in ISMS.online is the Policy Pack service which enables ISMS administrators to demonstrate compliance of the policies and controls for everyone in scope. That innovative service coupled with the ISMS overview report (further below) and the general groups collaboration features delivers many cost-saving, risk-reducing and other benefits.
- production of policies and controls once, but allows distribution to targeted groups easily (e.g. by dept, location, role, product etc)
- the ability to see policies read and complied with dynamically at any point in time
- the ability to spot and address areas of possible non compliance quickly and easily – focusing attention towards the highest risks and not wasting audit time or other limited resources
- the ability to show external auditors, powerful end customers and senior management they are in control of the whole ISMS from identification of information asset, its risk assessment, the controls applied to it and the audience/s to who the policies are being applied towards – all key aspects of complying with ISMS requirements for ISO 27001
For more advanced users who want to see the relationship between information assets, risks, controls and the communication of the policies into the users by Policy Packs, the ISMS overview report does just that. It shows end to end confidence and helps quickly isolate gaps, issues or waste beyond the powerful statement of applicability that is required for ISO 27001 clause 6.1.3.
Information security communications into staff, suppliers and other stakeholders who need to be engaged and show compliance for ISO 27001
It’s great for powerful information security management systems to work well for the ISMS management and administrators to meet their goals. The ISMS solutions have to also work well for those occasional users who need to understand and comply with their policies, be aware of what’s going on, participate in discussions, raise incidents and respond to tasks. That is exactly what ISMS.online offers, an ability to keep these important stakeholders compliant and engaged in a dynamic yet occasional access model.
Staff get to read and comply with their information security (and other) policies in a Kindle like reading experience, devoid of any noise from the specialist parts of the ISMS. They can easily show their reading progress and compliance as they complete the work. This is dynamically updating the administration console above too. When a policy is updated the administrator can simply push that out to all the readers and bring it to their attention.
In addition to the Policy Pack service, ISMS online offers a number of ways to ensure the staff communications and engagement, including ISMS communication groups, which are great to broadcast updates, engage in discussions, assign tasks via email notifications and show the evidence of that to auditors as well as retain knowledge for new hires and others who need to be engaged in future. Those requirements are not so easy with some of the more traditional comms and messenger products out in the market or email alone. Beyond those core services of groups and Policy Packs, many other features on the platform also make the whole communication process a richer more integrated experience.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement