A plan for communicating with all stakeholders on information security and compliance must be developed by the Information Security And Compliance Lead.
Typically, the Information Security Communication Plan should include:
-
Recipients - Relevant groups of stakeholders to whom communication needs to be sent out
-
Communication content – The content of communication that should be sent out depending on who the recipients are
-
Communication mechanism and vehicles – This would elaborate the mechanisms or methods of communication that may need to be employed for communicating on security and compliance. This could include newsletters, quizzes, emails, training capsules, booklets, posters etc.
-
Communication frequency – The frequency at which security related communication needs to be sent to stakeholders
-
Communication triggers – Triggers for sending out communication must be identified and defined. These would typically include a forthcoming security audit, a security incident etc.
-
Any specific formats of communication (templates, reports, etc.)
-
Mechanism to check communication effectiveness
-
Governance structure - This would include defining the roles that would be responsible for sending out the communication, monitoring the effectiveness of communication and taking relevant actions, escalation mechanisms, reporting mechanisms etc.
|
