๐ NBlog Aug 23 - ISMS comms plan
๐ก Newskategorie: IT Security Nachrichten
๐ Quelle: feedproxy.google.com
ISO/IEC 27003:2017 confirms our assessment by stating explicitly:
"Documented information on this activity and its outcome is mandatory only in the form and to the extent the organization determines as necessary for the effectiveness of its management system".In other words, a documented comms plan is discretionary - advised as good practice but not strictly demanded of every organisation for '27001 compliance certification.
- Information security policies and procedures, plus changes thereto;
- [The organisation's] Information [risk and] security objectives;
- Knowledge on information security risks;ย
- Requirements [of information] suppliers;ย
- Feedback on the information security performance (not least the certificate of compliance with '27001 and asserted conformance with privacy laws);
- [Information about relevant] incidents and crises.ย
Have I neglected anything important though? I turned to Googleย and found useful guidance in the first few search results:
- Jean-Luc Allard, a respected member of ISO/IEC JTC 1/SC 27, takes the opportunity while writing forย Adviseraย to elaborate on the standard's requirement. I appreciate his advice to consider comms as a two-way street: I will incorporate that into the template comms plan.
- ISMS.online has quite a bit of advice albeit much of it concerns how their ISMS cloud service generates information in a form that could usefully be communicated. They point out the link to discretionary control A.7.2.2 on security awareness which is already in the plan anyway: maybe we should mention A.7.2.2 in the preamble though.
- Ben Woelk, program manager for the Information Security Officeย at Rochester Institute of Technology, has published a detailed ISO comms plan - 16 pages laying out all the things they planned to communicate as part of their ISMS. I anticipate our customers using the templates to develop something along these lines, customised of course to suit their specific requirements ... but the SecAware ISMS templates are much shorter and generic.ย We are deliberately offering a bare-bones starting point hoping to inspire customers to develop the templates as they need, rather than a comprehensive out-of-the-box 'solution' which is unlikely to suit every customer. Nevertheless, Ben's inclusion of the goals and strategies for his comms plan is a cool idea, something again we can mention in the preamble.