Please complete all required fields!
The great thing about ISO27001:2013 is that it follows the high-level structure set out by ISO as their preferred way of working through a standard. What that means it that pretty much all the new ISO standards follow the same list of 10 clauses in the same order. It is designed to help you align your various management systems. That's really helpful to you because it means that the work you have done in say your ISO9001:2015 system under awareness and communication will stand you in good stead for those requirements for clause 7.3 Awareness and Clause 7.4 Communication in ISO27001:2013.
The key part is well informed, it's not just oh I know it exists, it's more yes I know what it is and why we have it. From an ISO point of view, they tell us that "Awareness is attained when people understand their responsibilities and how their actions contribute to the achievement of XXXX
That means as an organisation and a leadership team you need to ensure that your team has an understanding of the key concepts of your ISO 27001 Information Security Management System (ISMS). Importantly within this clause there are 3 very specific points that they want you to ensure your team are well informed about:
This awareness starts at the person's induction to the company, it's talked about in the contract of employment and expands to regular briefings and feedback sessions as you constantly review your processes and systems to improve them.
The communication requirement of the ISO27001 Information Security Management standard is about ensuring that those things we have talked about in awareness and elsewhere are both within your organisation and outside are communicated correctly. Specifically, it is about ensuring that the right level of communication is given to the right people, at the right time and in the right way. You should essentially create a communication plan or play-book that you can use when you need to and not have to make things up on the spot.
There are 5 elements that clause 7.4 of the IOS27001:2013 standard wants you to consider about communication.
You should have a communication plan for a range of events or circumstances from initial inductions and training to your press releases and discussions with employees, the Privacy Commission, the authorities, customers, suppliers, or the stock market should the worst happen, you really don't want to make those things up on the spot.
When communicating internally you need start with those 3 items, we listed in the awareness section, your people need to know what the Information Security Management System Policy, the objectives and how you plan to meet them and how that impacts them. There are many ways to do this, face to face meetings, team meetings, town hall meetings, reviews are all great. Ensuring that these things are all readily available in your integrated quality management system (qms) is also important. Make it simple for people to find the documentation they need.
As an organisation, you need to ensure that people that need-to-know things about your ISO27001:2013 ISMS or even your business in general, both internally and externally to your organisation are aware of what they need to know. They need to know the part they play in it.
You need to have an effective communication plan to ensure that the right people have the right information to allow them to work within your policy correctly. You achieve this through regular communication, training and information systems and, where appropriate assessments and objectives.
You need to develop a communication play-book for those unexpected issues that are going to come up where you then have to communicate to those interested parties to the event are communicated to in the right way at the right time with the right information in spite of the potential chaos that has come with a breach in your systems.
© Many Caps Consulting Ltd | All Rights Reserved
By accepting you will be accessing a service provided by a third-party external to https://www.manycaps.com/