Communication for ISO 27001 Information Security

ISO 27001 Clause 7.4

This sub-clause requires the organisation to determine the internal and external communications relevant to the ISMS - what, when, with whom, how and by whom.

ISO 27001 Clause 7.4 - Communication

Clause 7.4 covers all the communications that the management system relies on - the messages going out to staff, customers, suppliers, regulators and the public, and the channels for messages coming in. The clause does not require complicated documentation. It does require the organisation to have thought about who needs what information and how it gets to them.

What ISO 27001 Clause 7.4 Requires

The organisation must determine the need for internal and external communications relevant to the ISMS, including: what will be communicated, when it will be communicated, with whom it will be communicated, how it will be communicated, and who is responsible for communicating it.

The clause covers both planned routine communications and ad-hoc communications such as incident notifications, breach disclosures and customer security questionnaires. Most organisations capture the planned communications in a simple communications matrix or table.

Internal Communications

Internal communications inside an ISMS typically include: the information security policy and its changes, awareness training and refreshers, results from internal audits and management reviews, updates on incidents and lessons learned, and operational guidance about how to use systems safely. The channels include induction, intranet, e-learning, all-staff emails, team briefings and one-to-ones.

The frequency, format and audience for each internal communication need to be decided. A monthly all-staff security update is one approach. A combination of induction plus annual refresher plus ad-hoc alerts is another. The right pattern depends on the organisation.

External Communications

External communications cover dealings with customers, suppliers, regulators, certification bodies, the public and any other interested party. Typical content includes: the public version of the information security policy, customer security questionnaire responses, supplier security requirements, breach notifications under UK GDPR, regulator notifications under sector rules, and reassurance communications during or after incidents.

Some external communications are reactive and have to happen on tight timescales - UK GDPR requires the ICO to be notified of certain personal data breaches within 72 hours of the organisation becoming aware. The communications planning needs to recognise these obligations and make sure the right people know what to do when an incident happens.

The most useful artefact for this clause is a one-page communications matrix listing what gets communicated, by whom, to whom, how often and through what channel. It does not need to be complicated. It does need to cover both planned and reactive communications.

I check that the planned communications described in the matrix are actually happening. If the matrix says monthly security updates and there have been three in the past year, the matrix is wrong or the communications are slipping. Either way it is a finding.

Practical Compliance Guidance

The communications policy and the communications matrix together cover the planning required by Clause 7.4. Incident-related communications are usually handled separately as part of the incident response process.

The documents below support the planning and recording of communications relevant to the information security management system.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the communications policy and supporting templates.
P-17 Communications Policy	Top-level communications policy covering internal and external information flows, used as the policy reference for Clause 7.4.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does Clause 7.4 require a documented communications matrix?

The standard does not specify a matrix or any particular format. It does require the planning to be visible. A matrix is the most efficient way to capture what, when, with whom, how and who - which is exactly what the clause asks the organisation to determine.

What about confidential communications?

The clause covers planning, not specific message content. The communications matrix records what type of communication is needed - for example, 'incident notifications to affected customers' - without recording the content of any specific incident. Confidential information is protected by the controls covering each communication channel.

How does Clause 7.4 link to incident notification under UK GDPR?

UK GDPR requires the ICO to be notified of certain personal data breaches within 72 hours. That communication is one of the items the Clause 7.4 communications matrix should reflect, with the trigger, the audience, the channel and the responsible role identified.

UK Legislation

The following UK legislation creates specific external communication obligations that the communications matrix should reflect.

Further Resources