Welcome to the SecAware blog

I spy with my beady eye ...

24 Aug 2020

ISMS comms plan

Yesterday I started preparing an ISMS communications plan to satisfy ISO/IEC 27001:2013 clause 7.4, with a little help from the Web.

Naturally I started out with the standard itself. Clause 7.4 doesn't literally demand that organisations must have a "communications plan" as such, otherwise it would have been one of the mandatory documents included in SecAware ISMS Launchpad. Oh no, it's more circumspect: the standard says "the organization shall determine the need for internal and external communications relevant to the information security management system" ... and proceeds to outline - yes, you guessed it - a "communications plan".

ISO/IEC 27003:2017 confirms our assessment by stating explicitly:
"Documented information on this activity and its outcome is mandatory only in the form and to the extent the organization determines as necessary for the effectiveness of its management system".
In other words, a documented comms plan is discretionary - advised as good practice but not strictly demanded of every organisation for '27001 compliance certification.

Well anyway, let's do it! To comply with the standard, what should typically be communicated in respect of the ISMS, when, to and by whom, and by what means?

ISO/IEC 27003 offers examples of the things that should be communicated:
  • Information security policies and procedures, plus changes thereto;
  • [The organisation's] Information [risk and] security objectives;
  • Knowledge on information security risks; 
  • Requirements [of information] suppliers; 
  • Feedback on the information security performance (not least the certificate of compliance with '27001 and asserted conformance with privacy laws);
  • [Information about relevant] incidents and crises. 
Hmmm, as you can guess from the [insertions] in the list, while reading the advice I'm already putting my own slant on this, thinking about how the organisations I've previously worked/consulted with interpreted the standard's concise/minimalist advice, and what I would do now.

Next I set to work drafting the template in the form of a summary followed by a table with three columns (when, internal comms and external comms), rows for each quarter of a year and bullet points outlining the nature of the comms in each case. A simple 3½-page two-year comms plan covering the period up to and beyond certification came together in no time. 

Here's a taster, a glimpse of the first ½-page as originally drafted:

The sequence of communications mirrors the ISMS implementation project from initial approval through building the ISMS to certification and then business as usual as the ISMS settles down and gradually matures - hence the comms plan is pretty close to being an ISMS implementation project plan, including management comms about the progress of the project.

Have I neglected anything important though? I turned to Google and found useful guidance in the first few search results:
  • Jean-Luc Allard, a respected member of ISO/IEC JTC 1/SC 27, takes the opportunity while writing for Advisera to elaborate on the standard's requirement. I appreciate his advice to consider comms as a two-way street: I will incorporate that into the template comms plan.

  • ISMS.online has quite a bit of advice albeit much of it concerns how their ISMS cloud service generates information in a form that could usefully be communicated. They point out the link to discretionary control A.7.2.2 on security awareness which is already in the plan anyway: maybe we should mention A.7.2.2 in the preamble though.

  • Ben Woelk, program manager for the Information Security Office at Rochester Institute of Technology, has published a detailed ISO comms plan - 16 pages laying out all the things they planned to communicate as part of their ISMS. I anticipate our customers using the templates to develop something along these lines, customised of course to suit their specific requirements ... but the SecAware ISMS templates are much shorter and generic.  We are deliberately offering a bare-bones starting point hoping to inspire customers to develop the templates as they need, rather than a comprehensive out-of-the-box 'solution' which is unlikely to suit every customer. Nevertheless, Ben's inclusion of the goals and strategies for his comms plan is a cool idea, something again we can mention in the preamble.
I could continue laboriously trawling the remaining 1.7 million Google results (!) for inspiration but life's too short. Already I have the impression that the template comms plan is fine with just a little adjustment to the preamble - that summary section up-front that explains what the plan is about and intends to achieve. For example, it should mention who will be involved in preparing, authorising and delivering the comms (several people from various functions). So that's one of today's tasks on the to-do list.

First, though, I need to feed our ravenous ewes, lambs, goats and kids, two tame deer, a small flock of chooks and a house cow called Ginger. The sky is blue, the sun shining brightly, another glorious Spring day in rural New Zealand. Feeding out is an opportunity to think.

PS  This blog piece has taken me as least as much time and effort to write as the comms plan itself, but I hope you find it useful to hear about the work that goes into the SecAware ISMS templates and other materials

1 comment:

  1. Nice addition to the package.
    Interesting question actually is how detailed the plan can/should be. You can do it with a bunch of detail (like the RIT colleague did) but also a table with, let's say, 10 entries with the purpose and an interval off communication could be sufficient.