Communication

Clause 7.4 is the requirement to determine and implement a process for internal and external communications relevant to the ISMS, ensuring the right information reaches the right parties at the right time.

The standard requires you to define four specific elements for communications: 1) What to communicate, 2) When to communicate, 3) With whom to communicate, and 4) How to communicate (who does the communicating).

Create a matrix listing key communication events (e.g., 'New Policy', 'Security Incident', 'Quarterly Review'). For each event, assign the Audience (Who), Timing (When), Content (What), and Channel/Owner (How).

You must communicate the information security policy, objectives, changes to the ISMS, feedback on performance, threat intelligence, and incident details to relevant stakeholders.

Internal communication targets employees and contractors (e.g., training, policy updates). External communication targets customers, regulators, and suppliers (e.g., breach notifications, privacy notices).

Needs are determined by analyzing your interested parties (Clause 4.2), legal/regulatory obligations (e.g., GDPR breach notification timelines), and operational requirements for incident response.

Auditors typically look for a communication plan or matrix, evidence of sent communications (emails, meeting minutes), and policies (like Incident Response) that contain specific communication instructions. Tools like WatchDog Security's Compliance Center can centralize these artifacts and maintain an audit trail showing when key ISMS communications were issued and to whom.

External security communication often becomes inconsistent when evidence, policies, and updates are scattered across shared drives and ad-hoc email responses. This can slow down customer security reviews and lead to conflicting or outdated information being shared. For example, WatchDog Security's Trust Center can provide a controlled portal for sharing approved security documents and selected evidence with access controls and audit logs, helping teams respond consistently while keeping sensitive materials governed.

Vendor communication can be hard to evidence because requirements, questionnaires, and incident notifications may live in inboxes rather than a system of record. A structured approach is to centralize vendor contacts, track what was requested or communicated, and retain the supporting artifacts for audit review. For example, WatchDog Security's Vendor Risk Management can maintain a vendor catalog, store security assessments and communication artifacts, and help demonstrate that vendor security requirements and incident-related updates were communicated and tracked.

Recipients include internal staff, top management, board members, and external parties such as customers, regulatory bodies, law enforcement, and critical vendors.