Communication Plans

What are necesarry for them?

Answer :

There are two sides at your question. One related to the ‘internal’ and one to the ‘external’ communication plans.

The internal communication plan concerns how the top management disseminates its requirements and objectives through policies.

-       clause 5.1.d requires that the organisation communicate on the importance of effective information security and on compliance to the requirements set in the policy

-       clause 5.2.f. requires to communicate the policy within the organisation.

Clause 7.4 (Communication) is the most explicit in answering your question as it insists on defining who, on what, to whom, when and how.

Clause 7.4 also refers to external communication which is a control covered by ISO 27002 in clauses 16 and 17 dealing with ‘Management of information security incidents and improvements’ and ‘Information security aspects of business continuity management’ (controls A.16.x and A.17.x in ISO27001 Annex A).

An external communica tion plan is a reactive control in case of incident to inform the targeted interested parties on the nature of the event and the measures you are taking to solve it in the shortest delay. This communication plan has to be prepared in advance to transmit a message of the organisation’s preparedness.

So the internal and external communication plan should contain

-       Who is responsible to organise and operate the communication plan,

-       What is the object and the messages contained: policy, requirements, procedures, security awareness, incident warning, etc.

-       Who will receive what message,

-       When you will communicate and in which conditions

-       How the communication should happen: type of communication (mails, screen saver, web page, flyers, etc.) and communication protocols.