Jean-Luc Allard
October 27, 2014
Implementation, maintenance, training, and knowledge products for Information Security Management Systems (ISMS) according to the ISO 27001 standard.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
All required policies, procedures, and forms to implement an ISMS according to ISO 27001.
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful ISMS.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance and training products for critical infrastructure organizations for the European Union’s Network and Information Systems cybersecurity directive.
All required policies, procedures, and forms to comply with the NIS 2 cybersecurity directive.
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Compliance and training products for personal data protection according to the European Union’s General Data Protection Regulation.
All required policies, procedures, and forms to comply with the EU GDPR privacy regulation.
Accredited courses for individuals and privacy professionals who want the highest-quality training and certification.
Implementation, training, and knowledge products for Quality Management Systems (QMS) according to the ISO 9001 standard.
All required policies, procedures, and forms to implement a QMS according to ISO 9001.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for Environmental Management Systems (EMS) according to the ISO 14001 standard.
All required policies, procedures, and forms to implement an EMS according to ISO 14001.
Accredited courses for individuals and environmental professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 14001 and the EMS using Advisera’s proprietary AI-powered knowledge base.
Implementation and training products for Occupational Health & Safety Management Systems (OHSMS) according to the ISO 45001 standard.
All required policies, procedures, and forms to implement an OHSMS according to ISO 45001.
Accredited courses for individuals and health & safety professionals who want the highest-quality training and certification.
Implementation and training products for medical device Quality Management Systems (QMS) according to the ISO 13485 standard.
All required policies, procedures, and forms to implement a medical device QMS according to ISO 13485.
Accredited courses for individuals and medical device professionals who want the highest-quality training and certification.
Compliance products for the European Union’s Medical Device Regulation.
All required policies, procedures, and forms to comply with the EU MDR.
Implementation products for Information Technology Service Management Systems (ITSMS) according to the ISO 20000 standard.
All required policies, procedures, and forms to implement an ITSMS according to ISO 20000.
Implementation products for Business Continuity Management Systems (BCMS) according to the ISO 22301 standard.
All required policies, procedures, and forms to implement a BCMS according to ISO 22301.
Implementation products for testing and calibration laboratories according to the ISO 17025 standard.
All required policies, procedures, and forms to implement ISO 17025 in a laboratory.
Implementation products for automotive Quality Management Systems (QMS) according to the IATF 16949 standard.
All required policies, procedures, and forms to implement an automotive QMS according to IATF 16949.
Implementation products for aerospace Quality Management Systems (QMS) according to the AS9100 standard.
All required policies, procedures, and forms to implement an aerospace QMS according to AS9100.
Implementation, maintenance, training, and knowledge products for consultancies.
Handle multiple ISO 27001 projects by automating repetitive tasks during ISMS implementation.
All required policies, procedures, and forms to implement various standards and regulations for your clients.
Organize company-wide cybersecurity awareness program for your client’s employees and support a successful cybersecurity program.
Accredited ISO 27001, 9001, 14001, 45001, and 13485 courses for professionals who want the highest-quality training and recognized certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Find new clients, potential partners, and collaborators and meet a community of like-minded professionals locally and globally.
Implementation, maintenance, training, and knowledge products for the IT industry.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance, training, and knowledge products for essential and important organizations.
Documentation to comply with NIS 2 (cybersecurity), GDPR (privacy), ISO 27001 (cybersecurity), and ISO 22301 (business continuity).
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for manufacturing companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for transportation & distribution companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for schools, universities, and other educational organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for telecoms.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for banks, insurance companies, and other financial organizations.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for local, regional, and national government entities.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for hospitals and other health organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the medical device industry.
Documentation to comply with MDR and ISO 13485 (medical device), ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the aerospace industry.
Documentation to comply with AS9100 (aerospace), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the automotive industry.
Documentation to comply with IATF 16949 (automotive), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for laboratories.
Documentation to comply with ISO 17025 (testing and calibration laboratories) and ISO 9001 (quality).
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Communicating is a key activity for any human being. This is also the case for an organization. It helps through exchanging the most correct information to the best audience and at the best moment. It is certainly important in security management, because you want people to react in the proper way.
Important also is that effective communication, in content, format and time, creates trust both from internal and external parties. It shows how prepared you are, and whether you are reactive or, better, proactive.
ISO 27001 addresses the communication issue three times, and organizations wanting to implement the ISMS have to look closely at these requirements.
Clause 7.4 requires a clear answer to a series of questions on security issues: Who should communicate? To whom? What messages? On what? When? And how?
Let’s look more closely at how to address these questions.
On what? (content) Organizations should clearly communicate on what is important to them: the need for information security and the need to conform to the requirements and policies.
It will address risk management issues, new or changed security objectives, and vulnerabilities, events or incidents to initiate the adequate answer of all, and especially the trained personnel who perform the planned reaction. Celebrating achievements and congratulating exceptional security behaviors has very positive effects.
Including security clauses and requirements in the contract is also a way to communicate your requirements to services and product providers. Hence, it could be considered a part of the Communication Plan.
Messages should be short and focused on their real intent. You certainly remember the SMART criteria that you can use to make sure the message is complete.
Who? Organizations should clarify who is authorized to communicate, especially with external parties. Internally, top management and the CISO and the help desk are good examples. Big companies have their Public Relations Officer to communicate with the external parties.
The communicator should have the appropriate authority to make sure the message will be received with the necessary attention and will be followed by the expected action or reaction.
To whom? Not everybody should receive all messages. Messages should be aimed at a specific audience, depending on the classification of the information, the necessary technical knowledge, and the role in the organization. The Communication Plan should be effective and addressed only to those who will benefit from it or need to act based on it – e.g., different interested parties like users, partners, internal and external service providers, regulating bodies, shareholders, etc. See also this article: How to identify interested parties according to ISO 27001 and ISO 22301.
How? (process) The simplest and first way is the security policy and all the documents that describe what to do (and how) to meet the objectives of the policy. Messages should be prepared and approved, particularly in the case of incidents and crises.
Defined channels (and protocols) should be utilized to make sure the communication reaches the intended audience at the best moment and with the best possible effectiveness. Examples: emails, pop-up screens, screensavers, posters, audio messages, meetings, policies and directives, etc.
When? Communication should be both continuous and event-based (in reaction to events).
You should make sure the communicated message is continuously retransmitted, for example, to newcomers and at repeated intervals, to make sure it won’t get forgotten.
You also should be able to modify the messages or introduce new messages or formats and channels when the situation requires it. Communicating in normal conditions might be seriously different in comparison to during incidents or in crises.
It is important to recognize that the Communication Plan has both internal and external aspects. They will respond differently to the following questions.
Internal Communication Plan. Top management uses the internal Communication Plan to send messages on its objectives and commitment toward information security. Some examples are: The Information Security Policy, the security organization with the key roles and responsibilities, the Awareness plan, the general and specific requirements to respond to incidents.
However, the internal Communication Plan should not remain unidirectional. The channels (telephone and email, for example) should also be known and used to communicate “bottom-up” from the base (the users) to the management about events or some new vulnerability.
External Communication Plan. Most of the examples given above relate to the internal Communication Plan, but are also fully applicable to the external Communication Plan.
You may need to communicate to the external world: regulatory authorities, public authorities, shareholders, clients and partners, to announce events either positive (successes) or negative (incidents, accidents and crises). Here also you will need a Communication Plan answering the same questions as above.
However, in this case, you’ll have to use more caution as you may not expose or disseminate sensitive information that will make your situation worse.
Depending on the size of the organization and its security objectives, the Communication Plan could be more or less formal, fully documented as a separate document or simply stated in a few sentences within other policies, procedures and plans.
As long as the desired messages are passed to those who should make the best of it, your solution will fit your needs and the resources you can devote to it.
To conclude, the Communication Plan is a question of creating and maintaining trust and confidence in 1) your preparedness, 2) your capability to face events, and 3) your ability to recover from crises.
The Communication Plan is a key element of a good Information Security Management System. One of the Returns On (Security) Investment of a good Communication Plan, as required by ISO 27001, is a strong image, both internal and external. Losing internal (or stakeholders’) trust is sometimes worse than losing your public image. You risk implosion.
To see how employees can collaborate on ISO 27001 ISMS implementation steps, documents, and all the necessary tasks, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.
You may unsubscribe at any time. For more information, please see our privacy notice.