The basics
ISO 27001 sub-clause 7.4 is called “Communication” — it requires defining which internal and external communication is needed for the ISMS, considering what needs to be communicated, by whom, when it should be done, and who needs to receive the communication.
Documentation
ISO 27001 clause 7.4 Communication does not require writing any documents.
A good practice is to document specific communication through various policies and procedures e.g., Disaster Recovery Plan, Incident Management Procedure, etc.
The following document is not mandatory, and companies can decide whether to write it:
- Communication plan
Implementation
To comply with clause 7.4 Communication, companies need to define:
- What will be communicated
- When will this communication take place
- Who should the communication be directed to
- How the communication will be performed
Audit evidence
During the audit, an auditor might ask for the following evidence regarding 7.4 Communication:
- If the company has defined relevant interested parties to whom it needs to communicate regarding security.
- If the company has defined what will be communicated to those interested parties.
- If the company has defined when this communication will take place.
- If the company has defined which communication channels will be used.
It is not mandatory to write a document for this clause, so the auditor might interview people and look for records of written communication (e.g., email).
These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.
