Who talks to whom, about what, and when? ISO 27001 Clause 7.4 requires you to plan and document the internal and external communication of your ISMS. The communication plan turns a vague intention into a concrete process — and provides the audit evidence that information security is actually communicated in your organisation.
What does it contain?
The template structures each communication occasion along the five dimensions from Clause 7.4:
- Subject — what is communicated? (e.g. new information security policy, internal audit results, security incident)
- Timing / frequency — when or how often? (e.g. after approval, quarterly, on occurrence of an event)
- Audience — to whom? (e.g. all employees, executive management, affected customers, regulator)
- Responsible person — who triggers the communication and ensures it happens?
- Channel — how is it communicated? (e.g. email, intranet, briefing, formal letter)
How to use the template
1. Collect communication occasions. Walk through the clause requirements of your ISMS and identify every point where communication must happen. Typical triggers: policy approval (Clause 5.2), roles and responsibilities (Clause 5.3), training (Clause 7.2), incident handling (A.5.24–A.5.28), change management.
2. Separate internal and external occasions. Internal communication targets employees and management. External communication targets customers, suppliers, regulators, certification bodies. The requirements for formality, deadlines, and evidence differ significantly.
3. Assign responsibilities. Each occasion needs a named responsible person. In practice this is often the CISO or information security officer — but for incident notifications to regulators, executive management may be responsible.
4. Define channels. The channel must fit the audience and the urgency. Policy changes via intranet announcement, incident notifications via a defined escalation path, regulatory notifications via formal letter with deadline.
5. Update regularly. New policies, new stakeholders, new regulatory requirements — the communication plan grows with the ISMS. Review it at least annually and after every significant change to the scope.
| Stakeholder | Kategorie | Interesse am ISMS | Kommunikationsinhalt | Kanal | Frequenz | Verantwortlich | Sprache | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Geschäftsleitung | Intern | Strategische Aufsicht und Risikolage | KPI-Dashboard | Management-Review-Ergebnisse | Großvorfälle | Management-Review-Meeting + E-Mail | Quartalsweise | ||||
| Mitarbeitende | Intern | Richtlinien | Awareness | Vorfallmeldung | Richtlinien-Bestätigungen | Awareness-News | Phishing-Ergebnisse | ||||
| IT-Betriebsteam | Intern | Technische Kontrollen | Change-Management | Tickets | Change Advisory | Schwachstellenmeldungen | Ticket-System + Teams-Kanal | ||||
| Betriebsrat | Intern | Mitarbeiterüberwachung | mobiles Arbeiten | Geplante Monitoring-Maßnahmen | BYOD-Regelungen | Dediziertes Meeting | Bei Änderung | ||||
| Kunden | Extern | Vertraulichkeit | Verfügbarkeit | sie betreffende Vorfälle | Sicherheitsfactsheet | Vorfallmeldungen | Auditberichte | ||||
| Betroffene Personen | Extern | DSGVO-Rechte | Datenschutzerklärung | Breach-Meldungen | Website + E-Mail | Bei Änderung + bei Ereignis | DSB | ||||
| Aufsichtsbehörde BfDI | Extern | DSGVO-Konformität | Breach-Meldungen | Meldungen nach Art. 33 DSGVO | Online-Portal | Bei Ereignis | DSB | ||||
| NIS2-Behörde (BSI) | Extern | Vorfallmeldungen (24h/72h/1M) | Frühwarnung | Vorfallmeldung | Abschlussbericht | BSI-Meldeportal | Bei Ereignis | ||||
| Lieferanten | Extern | Vertragliche Sicherheitsanforderungen | Sicherheitsfragebögen | Audit-Anfragen | E-Mail + Lieferantenportal | Jährlich + bei Ereignis | Einkauf | ||||
| Externe Auditoren | Extern | Auditnachweise | SoA | Richtlinien | Aufzeichnungen | Auditraum / sicheres Share | Jährlich | ||||
| Versicherung | Extern | Cyber-Risikoprofil | Kontrollbestätigung | Jährlich | CFO | DE | |||||
| Presse | Extern | Krisenkommunikation | Holding Statement | Faktenupdates | Pressemitteilung + Briefing | Bei Ereignis | Kommunikationsleitung |
| Stakeholder | Category | Interest in ISMS | Communication Content | Channel | Frequency | Owner | Language | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Top Management | Internal | Strategic oversight | risk exposure | KPI dashboard | management review results | major incidents | Management review meeting + email | ||||
| Employees | Internal | Policies | awareness | incident reporting | Policy acknowledgements | awareness news | phishing results | ||||
| IT Operations team | Internal | Technical controls | change mgmt | Tickets | change advisory | vulnerability alerts | Ticket system + Teams channel | ||||
| Works council | Internal | Employee monitoring | remote work | Planned monitoring measures | BYOD rules | Dedicated meeting | On change | ||||
| Customers | External | Confidentiality | availability | incidents affecting them | Security factsheet | incident notifications | audit reports | ||||
| Data subjects | External | GDPR rights | Privacy notice | breach notifications | Website + email | On change + on event | DPO | ||||
| Regulator BfDI | External | GDPR compliance | breach reports | Breach notifications (Art. 33) | Online portal | On event | DPO | ||||
| NIS2 competent authority (BSI) | External | Incident notifications (24h/72h/1M) | Early warning | incident notification | final report | BSI reporting portal | On event | ||||
| Suppliers | External | Contractual security requirements | Security questionnaires | audit requests | Email + supplier portal | Annually + on event | Procurement | ||||
| Auditors (external) | External | Audit evidence | SoA | policies | records | Audit room / secure share | Annually | ||||
| Insurance | External | Cyber risk posture | Controls attestation | Annually | CFO | DE | |||||
| Press | External | Crisis communications | Holding statement | factual updates | Press release + briefing | On event | Communications Lead |
Sources
- ISO/IEC 27001:2022 Clause 7.4 — Communication
- NIS2 Directive (EU 2022/2555) Art. 23 — Reporting obligations