ISO 27001 Clause 7.4: Communication
Clause 7.4 requires your organization to determine the internal and external communications relevant to the ISMS - specifically what to communicate, when, with whom, and how. This is the clause that prevents security-relevant information from falling through the cracks. Without planned communication, incidents go unreported, policy changes reach some teams but not others, and external stakeholders never hear about your security commitments.
What the clause requires
ISO 27001:2022 Clause 7.4 requires the organization to determine the need for internal and external communications relevant to the ISMS, including:
- a) What to communicate - the subject matter
- b) When to communicate - the timing and frequency
- c) With whom to communicate - the audience
- d) How to communicate - the method or channel
The 2022 revision simplified the original 2013 wording, which also included “who shall communicate” as a separate requirement. In practice, most organizations still document who is responsible for each communication - it is just no longer an explicit sub-requirement.
The clause is deliberately broad. It does not prescribe specific communications or channels. Instead, it requires you to think through what ISMS-related information needs to flow, in which direction, and to make sure it actually happens. For a small organization, this might be a one-page communication plan. For a larger enterprise, it could involve multiple channels and formal escalation paths.
How to build a communication plan
Internal communications
For a 20-person SaaS company, internal ISMS communications typically cover:
| What | When | With whom | How |
|---|---|---|---|
| Security policy updates | When policy changes | All employees | Email plus Slack announcement |
| Security incidents | Immediately upon detection | ISMS manager, affected team leads | Incident response channel (Slack, Teams) |
| Risk assessment results | After each assessment cycle | Leadership, risk owners | Management review meeting |
| Audit findings | After internal or external audit | Leadership, process owners | Written report plus meeting |
| Awareness reminders | Monthly or quarterly | All employees | Slack channel, newsletter |
| ISMS performance metrics | Quarterly | Leadership | Management review agenda |
The key is that these communications are planned, not ad hoc. When a security incident happens at 2 AM, people should already know who to notify and through which channel - not figure it out in the moment.
Most organizations document this as a simple communication plan - a table or matrix that lives alongside the ISMS documentation. It does not need to be elaborate. What matters is that it exists and that people follow it.
External communications
External communications cover information flowing to or from parties outside the organization:
- Customers and prospects - security posture information, certifications held, data processing details. Often handled through security questionnaires, trust pages, or shared compliance documentation.
- Regulators and authorities - breach notifications under GDPR, NIS2, or other regulatory frameworks. Define who is authorized to communicate with regulators and under what circumstances.
- Certification body - scheduling audits, providing evidence, reporting significant ISMS changes between surveillance visits.
- Suppliers and partners - security requirements in contracts, incident notification obligations, and periodic security reviews as part of supplier management.
- Interested parties - any communications required based on your interested parties analysis under Clause 4.2.
For regulatory notifications, timing matters. GDPR requires breach notification to the supervisory authority within 72 hours. NIS2 requires initial notification within 24 hours. Your communication plan should specify these deadlines and the person responsible for meeting them.
Connecting 7.4 to the rest of your ISMS
Clause 7.4 connects to several other clauses that either generate or depend on communications.
Clause 7.3 connection. Awareness requires everyone to know the security policy, their contribution to the ISMS, and the consequences of non-conformance. Communication is the mechanism that delivers awareness. Your communication plan should include how awareness information reaches all employees - especially new hires and contractors.
Clause 7.5 connection. Documented information and communication overlap. The communication plan itself is documented information. Additionally, many communications generate records - meeting minutes from management review, incident notification logs, policy acknowledgments - that become ISMS evidence.
Clause 5.1 connection. Leadership commitment includes communicating the importance of effective information security management. Clause 7.4 operationalizes this - how does leadership actually communicate security priorities to the organization?
Clause 9.3 connection. Management review requires reporting on ISMS performance, audit results, and improvement opportunities to top management. These are specific internal communications that should appear in your communication plan.
Clause 4.2 connection. Your interested parties analysis identifies who has expectations regarding your ISMS. Clause 7.4 ensures you have planned how to communicate with those parties. If customers expect annual security reports, that communication should be in the plan.
What auditors check
Auditors assess Clause 7.4 by reviewing your communication plan and checking whether planned communications actually happen.
Existence of a communication plan. Auditors expect to see a documented plan or matrix that covers at least the four elements: what, when, with whom, and how. The format does not matter - a table in a Word document, a page in your GRC tool, or a section in your ISMS manual all work. What matters is that it exists and covers both internal and external communications.
Coverage of key ISMS communications. Auditors check whether important communications are planned: incident reporting, management review reporting, policy distribution, awareness activities, and external notifications. If your communication plan does not mention incident reporting, auditors will question how incidents get escalated.
Evidence that communications happen. A plan on paper is not enough. Auditors sample evidence that planned communications actually occurred. This includes management review minutes, incident notification records, policy distribution logs, and training attendance records. If your plan says “quarterly awareness updates to all staff” but you have no evidence of the last two quarters, that is a finding.
Incident communication pathways. Auditors often test incident communication by asking employees: “If you discovered a potential security incident right now, what would you do?” People should be able to describe who they would contact and through which channel. If the answer is “I guess I would tell my manager?” that suggests the communication plan is not reaching employees.
External notification procedures. For organizations subject to breach notification requirements, auditors verify that the communication plan includes regulatory notification timelines and responsibilities. If you process personal data under GDPR, auditors expect to see a defined process for notifying the supervisory authority within 72 hours.
Common mistakes to avoid
No communication plan at all. Some organizations treat communication as something that “just happens” and see no need to document it. Auditors disagree. Clause 7.4 explicitly requires determining communications - and that determination should be documented. Even a simple one-page table satisfies the clause.
Planning communications but not executing them. A communication plan that lives in a drawer helps nobody. The most common finding is planned communications that are not happening - quarterly updates that stopped after year one, management review meetings that have no recent minutes, or incident reporting channels that employees do not know about.
Focusing only on internal communications. Many organizations document internal communications well but overlook external ones. Customer security inquiries, regulatory notifications, certification body interactions, and supplier communications all need to be planned. If your interested parties analysis identifies customer expectations around security reporting, your communication plan should address them.
Unclear incident escalation paths. When a security event occurs, speed matters. If your communication plan does not define who gets notified first, through which channel, and within what timeframe, the response will be slow and disorganized. Define the escalation path from detection through to management notification and any external reporting obligations.
Not updating the plan as the organization changes. Communication channels evolve. The company moves from Slack to Teams. A new regulatory requirement introduces notification obligations. The ISMS manager changes roles. Review and update the communication plan at least annually and after significant organizational changes, the same way you review other ISMS elements under Clause 6.3.
How 27kay can help
We help organizations build communication plans that cover what auditors expect without creating unnecessary process overhead. As part of ISO 27001 implementation, we set up the communication matrix, define incident escalation paths, and ensure regulatory notification requirements are covered. For the full picture, see our ISO 27001 knowledge hub.
Not sure whether your ISMS communications are properly planned? Get in touch - we will review what you have and identify the gaps before your auditor does.