ISO 27001 and ISO 22301 communication plan
Assign topic to the user
Answer:
ISO 27001 nor ISO 22301 do not require the communication plan to be documented, these standards only specify the activities you must do.
Considering that, depending on the size of the organization and its security objectives, a Communication Plan could be more or less formal, fully documented as a separate document or simply stated in a few sentences within other policies, procedures and plans (our toolkits adopt this second approach).
For example, in the Information Security Policy it is communicated the security organization and the key roles and responsibilities. In the Awareness plan, the general and specific requirements to respond to incidents can be communicated. In the Incident management procedure it is specified who needs to communicate with whom, as well as in the Business continuity plan.
If you do want to create a separate Communicatio n plan, then this article will provide you further explanation about communication plan (although it focuses on ISO 27001, the same concepts can be applicable to ISO 22301):
- How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/
Comment as guest or Sign in
Mar 13, 2019