A.6.5 / A.5.24 / NIST IR-4(a) ISO/IEC 27001:2022 Annex A

Is there a written internal communications plan (who tells employees what, when, via which channels)?

Demonstrate that the organization maintains a documented, role-based internal communications plan that defines message types, responsible parties, delivery channels, timing, and audience segments for security-relevant employee communications.

Description

What this control does

A written internal communications plan specifies which messages are delivered to employees, by whom, through what channels, and under what timing conditions. This includes routine security updates, incident notifications, policy changes, training reminders, and executive communications. The plan assigns ownership for each message type, defines audience segmentation, and establishes escalation paths to ensure employees receive timely, consistent information that supports security operations and incident response.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Employees unaware of active security incidents continue risky behaviors or fail to report suspicious activity, expanding breach scope
Conflicting or redundant messages from multiple departments create confusion about which security instructions employees should follow
Lack of defined communication ownership delays critical notifications during incidents, increasing dwell time and organizational impact
Ad-hoc communication methods bypass documented channels, preventing audit trails and compliance evidence collection
Inconsistent messaging across business units creates policy interpretation gaps that attackers exploit through social engineering
Delayed or missing policy change notifications leave employees operating under outdated security procedures, causing compliance violations
Absence of communication prioritization causes security alerts to be buried among non-critical messages, reducing employee vigilance

Testing procedure

How an auditor verifies this control

Request the current written internal communications plan document and verify it includes defined message types, responsible parties, channels, timing, and audience segments
Identify all security-related message categories documented in the plan (incident alerts, policy updates, training reminders, threat intelligence, phishing simulations)
Review role assignments to confirm specific individuals or teams are designated as owners for each communication type with backup contacts identified
Examine channel definitions to verify the plan specifies delivery methods (email, Slack, intranet, SMS, all-hands meetings) mapped to message urgency and audience
Select three distinct message types from the plan and request evidence of actual communications sent in the past six months matching documented procedures
Interview communication owners from at least two departments to validate their awareness of responsibilities and confirm the plan is actively followed
Review incident response runbooks or playbooks to confirm they reference the communications plan for stakeholder notification procedures
Verify the plan includes a documented review cycle with evidence of at least annual updates reflecting organizational or technology changes

Evidence required The auditor collects the internal communications plan document itself, including version history and approval signatures; dated examples of security communications (emails, portal posts, chat announcements) with metadata showing sender, channel, and audience; interview notes from communication owners confirming plan usage; and cross-references to the communications plan from incident response procedures or security awareness program documentation.

Pass criteria A documented internal communications plan exists that explicitly defines security message types, assigns named owners, specifies delivery channels and timing, segments audiences, includes evidence of operational use within the past six months, and demonstrates integration with incident response procedures.