DPWAT-ISMS-GOV-007 v1.0

ISMS Communication

Document ID: DPWAT-ISMS-GOV-007 Version: 1.0 Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan Approved by: Administrator (ADM) — Anna Boros Effective date: 2025-08-18 Next review: 2027-02-01 (or on major change)

1. Purpose

Define how DP WAT communicates ISMS-related information internally and externally (ISO 27001 clause 7.4).

2. Communication matrix

What	When	To whom	Who communicates	How
Policy/procedure updates	Within 1 week of approval	All personnel	CISO	Email + Slack
Security awareness reminders	At least annually	All personnel	CISO	Email or team meeting
Security incidents (internal)	As soon as practical	Affected personnel, Administrators	CISO	Slack/email, then incident record
Security incidents (external/reportable)	Per regulatory/contractual requirements	Authorities, customers, affected parties	CISO + Administrator	Email/formal notification
Audit findings (internal)	After audit completion	Administrators, relevant personnel	CISO	Management review, email
Audit findings (external)	After certification body report	Administrators	CISO	Management review
Risk assessment updates	After significant changes or annually	Administrators	CISO	Management review
ISMS scope/objective changes	Within 1 week of approval	All personnel	CISO	Email + Slack
Supplier security concerns	As identified	Administrator, affected project teams	CISO or Process Owner	Email/Slack

3. Channels

Internal: Slack (devplant workspace), email, team meetings
External: Email (formal), phone (urgent matters)
Sensitive matters: Direct communication to affected parties; avoid Slack for customer confidential content per policy

4. Records

Communication of significant ISMS matters (policy changes, incidents, audit results) is documented through: - Email threads (retained in mailboxes) - Incident records (07-records/) - Management review minutes - Slack messages (90-day retention, not primary evidence)