ISO certification: 7.4 Communication

First is important to note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented.

Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes, so to have a centralized communication procedure would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for clause 7.4.

To answer your auditor's demand, I suggest you point him to the main documents of your ISMS that define how communication needs to be done: The Information Security Policy, the Training and Awareness plan, the Incident Management Procedure, and the Disaster Recovery Plan.

This article will provide you a further explanation about the communication plan:

- How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/

These materials will also help you regarding the communication plan:

- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

sorry to say, but the answer isn’t helpful at all to me, as the auditor requires a document for this point. In this case it would have been helpful to have a template from you.

I'm sorry if my previous answer was not clear - clause 7.4 Communication is documented through the following documents from ISO 27001 Documentation Toolkit: 

• Information security policy, section 4.5 Policy communication
• IT security policy, section 3.14 E-mail and other message exchange methods
• Access control policy, section 3.8 User password management
• Password policy, section 4 User password management
• Security procedures for the IT department, section 3.6 Information transfer
• Information transfer policy, the whole document
• Incident management procedure, section 3.1 Receipt, and classification of incidents, weaknesses, and events
• Disaster recovery plan, section 5. Authorizations in a crisis
• Training and awareness plan, the whole document

If the auditor insists that you have a separate document for communication only, this would be contrary to the standard, so you need to ask the auditor which clause is his demand based on. Of course, you can always schedule a call with our expert who will provide you with more insight into how to prepare for the certification audit.

Hi Rhand,

sorry to capture this thread: in your first answer you speak of the ISO 27001:2013. Since this is the old norm and should not be used anymore, how about the new norm (ISO 27001:2017)?

Best regards,
Robert

The official ISO 27001 revision is from 2013, and it was confirmed in 2019 - you can see the details here: https://www.iso.org/standard/54534.html 

When you mention ISO 27001:2017, this is probably a standard that was re-published by a European or a local standardization body in a particular country - however, even though it has the year "2017" it is again the same as the original ISO 27001:2013. 

This article can also help you: European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/