Conformio dashboard

1. What does " Determine required communication" mean and how do we show compliance

Answer: ISO 27001, clause 7.4, requires a definition of internal and external communications needs relevant to the ISMS (e.g., what to communicate, to whom, when, by whom, etc.), but since the standard does not prescribe how to implement that, organizations are free to chose the approach that better fits them.

Depending on the size of the organization and its security objectives, the communication needs may be fully documented as a separate document or simply stated in a few sentences within other policies, procedures, and plans (the last one is the approach adopted in our toolkits).

This article will provide you further explanation about communication plan:
- How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/

2. How do we show compliance to the "introduce no-blame security culture"

Answer: Please note that "introduce no-blame security culture" is not a standard's requirement, but a good practice to support leadership and commitment  (e.g., to direct and support persons to contribute to the effectiveness of the ISMS); 

Ways to demonstrate that this culture is implemented is by evidencing nonconformities and security incidents reported by employees, because this will show that employees are not afraid to report those even if they are the once that have caused them.

This article will provide you further explanation about communication plan:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/