1. Objective

To ensure clear, consistent, and effective communication of Information Security Management System (ISMS) policies, procedures, and updates to both internal and external stakeholders.

2. Internal Communications

A. Information Security Policy Awareness

What to Communicate: Key elements of the information security policy, its importance, individual responsibilities, and implications of non-conformance.

When to Communicate: Upon hiring, during annual refresher training, and whenever there are significant updates.

With Whom: All employees, contractors, and relevant third parties.

By Whom: HR and Information Security Officer (ISO).

Processes:

·        Orientation sessions for new hires.

·        Annual mandatory training programs.

·        Email notifications and intranet postings for updates.

·        Acknowledgment forms to confirm understanding and compliance.

B. Security Incident Response Procedures

What to Communicate: Procedures for reporting and responding to security incidents.

When to Communicate: During initial training, periodic refreshers, and immediately following any updates.

With Whom: All employees, IT staff, and relevant managers.

By Whom: ISO and IT Security Team.

Processes:

·        Incident response training sessions.

·        Quick reference guides distributed via email and intranet.

·        Role-playing exercises to simulate incident response.

C. Regular ISMS Updates and Compliance Status

What to Communicate: Status updates on ISMS compliance, audit results, and improvement actions.

When to Communicate: Quarterly.

With Whom: All employees.

By Whom: ISO and Compliance Officer.

Processes:

·        Quarterly newsletters.

·        Town hall meetings or webinars.

·        Detailed reports shared via the company intranet.

D. Role-Specific Security Responsibilities

What to Communicate: Specific security responsibilities and procedures relevant to different roles.

When to Communicate: Upon role assignment, and during periodic reviews or updates.

With Whom: Relevant employees and managers.

By Whom: ISO and Department Heads.

Processes:

·        Role-specific training sessions.

·        Documentation available on the intranet.

·        Regular role-based security reviews.

3. External Communications

A. Vendor and Partner Security Requirements

What to Communicate: Information security requirements and expectations for vendors and partners.

When to Communicate: During the onboarding process and when requirements are updated.

With Whom: Vendors, partners, and third-party service providers.

By Whom: Procurement Department and ISO.

Processes:

·        Security requirements included in contracts.

·        Periodic review meetings with key vendors.

·        Regular audits and compliance checks.

B. Incident Notification to External Parties

What to Communicate: Notification of security incidents that may impact external parties, including steps being taken to mitigate the impact.

When to Communicate: Immediately upon identification of the incident.

With Whom: Affected clients, regulatory bodies, and other stakeholders.

By Whom: ISO and Legal Department.

Processes:

·        Incident response team coordinates external communications.

·        Pre-prepared notification templates.

·        Regular updates until resolution.

C. ISMS Certification and Compliance

What to Communicate: ISMS certification status, compliance achievements, and relevant updates.

When to Communicate: Upon initial certification and during annual renewals.

With Whom: Clients, prospective clients, and regulatory bodies.

By Whom: ISO and Marketing Department.

Processes:

·        Press releases and announcements on the company website.

·        Inclusion in marketing materials.

·        Direct communication with key clients and stakeholders.

4. Monitoring and Feedback

A. Monitoring Communication Effectiveness

Processes:

·        Regular surveys and feedback forms to assess understanding and effectiveness of communications.

·        Internal audits to verify compliance and awareness levels.

B. Continuous Improvement

Processes:

·        Review feedback and audit results.

·        Update communication strategies and materials accordingly.

·        Implement lessons learned from incident responses.

By following this communication plan, an organization can ensure that all internal and external stakeholders are well-informed about the ISMS, their roles and responsibilities, and the importance of adhering to information security policies.

WE ARE HERE TO HELP!

CLICK HERE for a Dogma C3X free trial!

Dogma C3X is an Intelligent Business Consulting Platform inspired by the 3Cs industry model, which offers a strategic look at the pillars that every company needs for success: Customers – Company – Competitors. "Intelligent" because by using artificial intelligence (AI) and machine learning (ML) it can collect, process, and analyze the growing tsunami of data (structured and unstructured) related to the 3Cs, which is incredibly valuable. Only by strengthening, positioning, and integrating these three pillars (Customers - Company - Competitors) you will be able to build a sustainable competitive advantage.