In the implementation of the ISMS, communication plays an important role in supporting the programme in different ways and can be useful for both internal and external purposes. According to the standard, the organisation is required to determine what to communicate, when to communicate and whom to communicate with. For example, information security policies can be communicated internally and externally (like to interested parties), when it needs to be communicated and what information can be communicated with whom is important.
In addition who can communicate and how this is done (what process) are also important questions. These communications can be in a general meeting or a documented form depending on the requirements.