Communication Requirements of an ISMS

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 52 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Lesson 5.4 Communication requirements of a nice mess
00:07
In this video, we will cover considerations for your communication process.
00:12
What the communication requirements are
00:15
examples of content to be communicated
00:18
and what the requirements were documented. Information on
00:24
communication is specific to Clause 7.4 in the standard
00:29
communication with regards to your Isom s serves to keep your interested parties identified all the way back and close for
00:36
up to date about important aspect of the ice mess,
00:39
whether it is theater achievement of milestones or requiring some kind of input
00:44
support from the interested parties.
00:46
Keep in mind that we identified both internal as well as external interested parties, and your communication strategy will need to cater to both.
00:55
The standard requires a few determinations to be made with regards to communication.
01:03
These are what types of information needs to be communicated.
01:07
What is the frequency of communication
01:11
specifically per type off information to be communicated?
01:17
Who are the personal involved in communicating
01:21
Who is the target audience
01:23
for the communication, both internal and external?
01:26
One of the triggers for the communication activities or the frequencies for specified communication activities
01:34
on what communication medium will be used.
01:37
Will communication be sent by email in person speeches,
01:42
Updates on the Internet. Whatever the case is,
01:46
we'll cover documented information of this clause a bit later. However, all important decisions and plans pertaining to communication should be documented.
01:56
For example, when you are being audited
01:59
in order to may have an expectation that you communicate at a minimum on a monthly basis.
02:05
To contest this,
02:06
you would need to have the appropriate approved document stating your frequency of communication is quarterly. For reasons X y Z.
02:15
This is a simple example, but the principles stay the same.
02:21
There are several elements within the communication off a nice mess that need to be determined on, of course documented. But we'll cover that in a bit.
02:30
These are the key items to focus on ensuring the decision has been made and that the relevant parties are made aware of,
02:38
for example, external facing communications, such as in the event of a data breach. You would only one certain appropriately trained and experienced personal to handle that type of communication
02:50
that would generally be a public relations expert of some sort that is responsible for managing communications to the media clients and general public
02:59
triggers and frequency
03:00
for certain events, such as passing a certification ordered.
03:04
Having a data breach or changing elements in the ISM is thes. Would service triggers for key communication?
03:10
Ideally, you would want to outline is many of these trigger events as possible
03:15
and specify the personal responsible for communication efforts in each of God.
03:22
You want your content to be appropriate and relevant for the topic.
03:25
Having pre approved and pre formulated content is a good idea
03:30
as this can speed communication up,
03:32
such as a SET report that gets updated with new figures on a quarterly basis.
03:38
It is also important to identify your target audience for each type of communication that you will be sending out
03:45
who will receive communication internally and excellently and for what.
03:50
Having a list of approved recipients, especially for external communications, is a good plan.
04:00
You also want to decide on an appropriate communication medium.
04:03
This can be in person communication, email, communication,
04:08
website updates, videos, telephone calls, Whatever the case is
04:13
for each type of communication medium, have a preferred
04:15
I mean sorry for each type of communication type. Have a preferred communication medium.
04:23
The method and process.
04:26
Is there a documented process to follow,
04:28
For example,
04:30
the initiator, the approve er, the sender or the speaker confirmation that a message has been sent and correctly received and understood
04:42
what you communicate and who this is communicated. Teoh is rather important.
04:46
In addition to this understanding, what you need to communicate within your ice mess and who the audience for each type of communication will be is important.
04:57
Examples of communication content can include information pertaining to risk assessments, risk management and risk treatment activities,
05:05
information security objectives and the ongoing monitoring off the achievement of these
05:11
roles, responsibilities and the authority within the ice miss context
05:15
as well as any changes to the ice mess.
05:21
Generally, having something documented just makes life easier.
05:26
You can share the document with the people that need to be involved in the process,
05:30
and they have a constant reference point.
05:32
You can monitor and ensure the process is staying true to what was initially decided and agreed upon.
05:39
One can implement matrix and monitors.
05:42
Of course, it makes life a whole lot easier. Come all the time when you have something documented
05:47
telling in order to you do something and communicate to stakeholders often doesn't suffice.
05:53
The communicate education you have sent is easy.
05:57
That serves as a component off documented information
06:00
the auditor can see that you have communicated.
06:03
It is a good idea to have all your processes documented from an order point of view as well.
06:09
If you have not meant the frequency off communication, you have to find
06:13
you'll have a non conformity.
06:15
If you have and the frequency is reasonable, it's quite difficult for in order to to tell you it's not sufficient, as this is your documented process approved by management,
06:25
all I can do is recommend changing of frequency
06:28
because of whatever reasons the order to may have.
06:30
Everything that we have discussed so far in the previous slides would be documented to some extent.
06:36
So if that is all documented in some other
06:40
that works for your organization and is of course approved for your ice, um, s implementation need another relevant stakeholder holders,
06:46
then you should be good to go.
06:53
In this lesson, we covered what the considerations for your communication process and activity should be.
07:00
We touched on a couple of examples of communication media that can be used
07:05
we covered the standard
07:08
and it's requirements regarding communication processes to cover.
07:13
We looked at examples of ice mess content that should be communicated,
07:17
and we also covered what is required as documented information for the communication process,
07:23
which can also serve as evidence during your certification orders.
Up Next