Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

ISO certification: 7.4 Communication

  Quote
Guest
Guest user Created:   Dec 07, 2020 Last commented:   Dec 22, 2020

ISO certification: 7.4 Communication

We are contacting you regarding a request we have: the auditor are asking about this point 7.4 Communication in ISO-norm. We bought the templates from you, but the templates does not include this point. Could you please provide a template for this point 7.4?
 
7.4 Communication The organization shall determine the need for internal and external communications relevant to the information security management system including:

a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 07, 2020

First is important to note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented.

Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes, so to have a centralized communication procedure would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for clause 7.4.

To answer your auditor's demand, I suggest you point him to the main documents of your ISMS that define how communication needs to be done: The Information Security Policy, the Training and Awareness plan, the Incident Management Procedure, and the Disaster Recovery Plan.

This article will provide you a further explanation about the communication plan:

- How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/

These materials will also help you regarding the communication plan:

- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

- ISO 27001 Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/

Quote
0 0
Guest
Guest user Dec 16, 2020

sorry to say, but the answer isn’t helpful at all to me, as the auditor requires a document for this point. In this case it would have been helpful to have a template from you.

Quote
0 0
Expert
Rhand Leal Dec 16, 2020

I'm sorry if my previous answer was not clear - clause 7.4 Communication is documented through the following documents from ISO 27001 Documentation Toolkit: 

  • Information security policy, section 4.5 Policy communication
  • IT security policy, section 3.14 E-mail and other message exchange methods
  • Access control policy, section 3.8 User password management
  • Password policy, section 4 User password management
  • Security procedures for the IT department, section 3.6 Information transfer
  • Information transfer policy, the whole document
  • Incident management procedure, section 3.1 Receipt, and classification of incidents, weaknesses, and events
  • Disaster recovery plan, section 5. Authorizations in a crisis
  • Training and awareness plan, the whole document

If the auditor insists that you have a separate document for communication only, this would be contrary to the standard, so you need to ask the auditor which clause is his demand based on. Of course, you can always schedule a call with our expert who will provide you with more insight into how to prepare for the certification audit.

Quote
0 0
Guest
Robert Karnecki Dec 22, 2020

Hi Rhand,

sorry to capture this thread: in your first answer you speak of the ISO 27001:2013. Since this is the old norm and should not be used anymore, how about the new norm (ISO 27001:2017)?

Best regards,
Robert

Quote
0 0
Expert
Dejan Kosutic Dec 22, 2020

The official ISO 27001 revision is from 2013, and it was confirmed in 2019 - you can see the details here: https://www.iso.org/standard/54534.html 

When you mention ISO 27001:2017, this is probably a standard that was re-published by a European or a local standardization body in a particular country - however, even though it has the year "2017" it is again the same as the original ISO 27001:2013. 

This article can also help you: European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Dec 07, 2020

Dec 22, 2020

Suggested Topics

Guest user Created:   Sep 23, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 implementation

Rena Created:   Sep 15, 2021 ISO 27001 & 22301
Replies: 1
0 0

Conformio ISO Documentation

Guest user Created:   Sep 15, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISO27001 Implementation