ISO27001 and the Awareness and Communication Requirements

The great thing about ISO27001:2013 is that it follows the high-level structure set out by ISO as their preferred way of working through a standard. What that means it that pretty much all the new ISO standards follow the same list of 10 clauses in the same order. It is designed to help you align your various management systems. That's really helpful to you because it means that the work you have done in say your ISO9001:2015 system under awareness and communication will stand you in good stead for those requirements for clause 7.3 Awareness and Clause 7.4 Communication in ISO27001:2013.  

ISO27001:2013 Clause 7.3 Awareness

The key part is well informed, it's not just oh I know it exists, it's more yes I know what it is and why we have it. From an ISO point of view, they tell us that "Awareness is attained when people understand their responsibilities and how their actions contribute to the achievement of XXXX

That means as an organisation and a leadership team you need to ensure that your team has an understanding of the key concepts of your ISO 27001 Information Security Management System (ISMS). Importantly within this clause there are 3 very specific points that they want you to ensure your team are well informed about:

1. You Information Security Policy: That seems to make sense really doesn't it? If you do not know and understand the policy how can you possibly comply with it or understand why certain processes are in place or how they line up with your ISMS requirements?
2. What their contribution to the effectiveness of the information security management system and the benefits of improved information security: The important work there is effectiveness. What makes for a really good system what makes it usable and helps keep your information secure? You need to help them understand that, importantly you need to help them understand that from their viewpoint and in the context of what they do as a day job so they know where they fit in the puzzle.
   
3. The implications of not conforming with the ISMS requirements: This should not be all fire and brimstone, but it should certainly talk about the end result of a security event. For example, if they randomly pick up a USB device from the car park and insert it into the PC what happens. Worst case you just inserted ransom ware into your system that has stolen all the information in your system, all the IP and all the personal information and it is locked up your system. Now you are being asked for a lot of money, in the paper and talking to the privacy commission and the police.Extreme but it is becoming ever more possible. On the flip side perhaps, they have left your new designs for the next generation widget on the whiteboard for the night, your cleaner comes in and notices this and within a week your competitor has launched a widget that looks very like yours. These are the implications that you should talk about, that need to be outlines as to why you are doing what you do. - 

This awareness starts at the person's induction to the company, it's talked about in the contract of employment and expands to regular briefings and feedback sessions as you constantly review your processes and systems to improve them.

ISO27001:2013 Clause 7.4 Communication

The communication requirement of the ISO27001 Information Security Management standard is about ensuring that those things we have talked about in awareness and elsewhere are both within your organisation and outside are communicated correctly. Specifically, it is about ensuring that the right level of communication is given to the right people, at the right time and in the right way. You should essentially create a communication plan or play-book that you can use when you need to and not have to make things up on the spot.

There are 5 elements that clause 7.4 of the IOS27001:2013 standard wants you to consider about communication.

1. What to Communicate
2. When to communicate it
3. Whom to communicate it to
4. Who should be the person communicating it.
5. The process by which you will communicate it.

You should have a communication plan for a range of events or circumstances from initial inductions and training to your press releases and discussions with employees, the Privacy Commission, the authorities, customers, suppliers, or the stock market should the worst happen, you really don't want to make those things up on the spot.

When communicating internally you need start with those 3 items, we listed in the awareness section, your people need to know what the Information Security Management System Policy, the objectives and how you plan to meet them and how that impacts them. There are many ways to do this, face to face meetings, team meetings, town hall meetings, reviews are all great. Ensuring that these things are all readily available in your integrated quality management system (qms) is also important. Make it simple for people to find the documentation they need.

ISO27001:2017 Awareness & Communication Summary  

As an organisation, you need to ensure that people that need-to-know things about your ISO27001:2013 ISMS or even your business in general, both internally and externally to your organisation are aware of what they need to know. They need to know the part they play in it.

You need to have an effective communication plan to ensure that the right people have the right information to allow them to work within your policy correctly. You achieve this through regular communication, training and information systems and, where appropriate assessments and objectives.

You need to develop a communication play-book for those unexpected issues that are going to come up where you then have to communicate to those interested parties to the event are communicated to in the right way at the right time with the right information in spite of the potential chaos that has come with a breach in your systems.