Communication Plan for ISO 27001: Making them hear and repond

By


The Communication Plan is a key element of a good Information Security Management System(ISMS). Your organization need to  communicate  most accurate Information to it's stakeholders at the best moment. It's equally important in security management to make people to respond to situations in the proper way.

Effective communication includes proper content, format and time to ensure creating trust among recipents both internal and external parties. Your communication will show how prepared you are, and whether you are reactive or proactive.

ISO 27001 clause 7.4 requires your organization to have a clear communication plan.

It should include : 

  • Who should communicate?
  • To whom? 
  • What messages? 
  • On what?
  • When?
  • How?

On what? means the content that will convey your message. It should clearly communicate what is important to the organisation and what's relevant to the recipient.

The content should match the interest of the recipient.

The content need to conform to the organization requirements and policies.

It may address risk management issue, a change in a control,  procedure or policy, a vulnerability, events or incidents.

The purpose could be to create awareness or to perform a  planned reaction. 

The communication plan need include requirements for security in agreements made with services and product providers.

What messages?

The form & format of the  messages should be clear  to produce the expected behavior. The type of the  communication medium can be short messages, news, circulars, stories, images, metaphors, or even cartoons can help.

Messages should be complete, short and focused on their real purpose and intent. 


Who? 

The communication plan should define who is authorized to communicate, with whome at what circumstances. 

Top management, CISO, PR officer, legal officer, HRM may communicate with different parties on different security matters.

The person communicating must have the appropriate authority to communicate. He or she should ensue that message will receive  attention, and followed by the expected response. 

To whom? 

All security communications are not intended for everyone. A Message is intended for a specific audience. The recipient should have clearance to information,  necessary  knowledge, and role in organization. 

The communication plan should clearly design who should receive information based on a classification such as confidential, private, internal, public.

How?

The communication plan should define the process of communication. How the message is prepared, approved, specially in the case of incidents and crises.

Defined channels and protocols should be included in communication plan  to to ensure that information reaches the intended audience at the best moment. Examples are SMS, Emails, pop-ups,  screensavers, posters, audio messages, meetings, policies and directives, etc.

When? 

The communications can  be continuous as well as  event-based. It may require retransmitting for new staff. Some messages require reminders.

The Communication Plan must have both internal and external aspects, for them to respond differently .

Internal Communication Plan

The Information Security Policy,  Established key roles and responsibilities,  Awareness plan, the general and specific requirements to respond to incidents.

External Communication Plan. 

Regulatory authorities, public authorities, shareholders, clients and partners, to announce events either positive or negative incidents, accidents and crises. 

Be careful not to expose confidential information when you disseminate  information that might  make a situation worse.

The Communication Plan is important to create and maintain trust  and confidence with your stakeholders on your preparedness, capability to face events, and ability to recover from crises.

Niranjan Meegammana 

Comments

Post a Comment

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more

How easily the data breaches occur? 5 ways to be aware of.

By
Image
Data breaches can occur at any unexpected moment. Unless you do not detect it fast, cybercriminals will have more time to exfiltrate information and cause bigger damage. On average it takes up to 30 days and costs $1 million to address a data breach incident stated 2021 Cost of a Data Breach Study. However, it could be more if you wait longer. Unfortunately, some took 6 months to respond.      Better safe than be sorry! Be prepared against data breaches.  There are 5 ways for your organization to avoid data breaches. Here is how. 1. Weak and stolen credentials  The most simplest way hackers use for data breaches is stealing passwords. Many people use predictable passwords like ‘Password1’ and ‘123456’. With them, cybercriminals don't even need to hack into a system to steal your sensitive data.  There are many tools that can help a cybercriminal to crack passwords. They run millions of popular credentials to break into your system. This requires you to have a strong password policy
Read more