Information Security Communication Plan¶
Document ID: PROC-008 Document owner: Jan Marc Castlunger (ISO) Classification: Internal Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (7.4) | SOC 2 (CC2.2, CC2.3)
1. Purpose¶
ISO 27001 Clause 7.4 requires the organisation to determine the need for internal and external communications relevant to the ISMS. This document defines what is communicated, when, by whom, to whom, and through which channels.
2. Internal Communications¶
2.1 Routine Security Communications¶
| What | When | From | To | Channel | Record |
|---|---|---|---|---|---|
| Security policy updates | When policies change | Jan Marc Castlunger (ISO) | All staff | Email + team meeting | Email archive; meeting notes |
| Security awareness reminders | Monthly | Jan Marc Castlunger (ISO) | All staff | Email archive | |
| Incident alerts (P1/P2) | Immediately upon detection | Incident lead | All staff | Email + phone/messaging | Incident record |
| Risk register changes | When risks change | Jan Marc Castlunger (ISO) | All staff | Email archive | |
| Access review results | Quarterly | Jan Marc Castlunger (ISO) | Affected users | Access review record | |
| Audit findings summary | After each audit | Jan Marc Castlunger (ISO) | All staff | Team meeting | Meeting minutes |
| ISMS objectives progress | Quarterly | Jan Marc Castlunger (ISO) | All staff | Team meeting | Meeting minutes |
2.2 Management Communications¶
| What | When | From | To | Channel | Record |
|---|---|---|---|---|---|
| Management review inputs | 2 weeks before review | Jan Marc Castlunger (ISO) | All attendees | Email + shared drive | Management review package |
| Management review minutes | Within 5 business days | Sebastian Windeck (CTO) | All attendees | Email + shared drive | MR Minutes |
| Annual security training | Annually (or upon hire) | Jan Marc Castlunger (ISO) | All staff | Video call + email | Training completion records |
| New/updated procedures | Upon publication | Document owner | Affected staff | Document control log |
2.3 Security Incident Communications¶
See Incident Response Plan for the full escalation matrix. Summary:
| Severity | Internal Communication | Timeline |
|---|---|---|
| P1 — Critical | All staff notified via email + phone; CEO informed immediately | Within 1 hour |
| P2 — High | ISO + CTO + relevant staff notified via email | Within 4 hours |
| P3 — Medium | ISO notified via email | Within 24 hours |
| P4 — Low | Logged in incident register; reviewed at next team meeting | Next business day |
3. External Communications¶
3.1 Customer Communications¶
| What | When | From | To | Channel | Record |
|---|---|---|---|---|---|
| Service disruptions / outages | During P1/P2 incidents | Sebastian Windeck (CTO) | Affected customers | Status page + email | Status page logs; email archive |
| Security incident notification | If customer data affected | Jan Marc Castlunger (ISO) | Affected customers | Direct email | Notification records |
| API changes / deprecations | 30 days before change | Sebastian Windeck (CTO) | All API customers | Email + API changelog | Email archive; changelog |
| Compliance certifications (ISO 27001, SOC 2) | Upon achievement | Jan Marc Castlunger (ISO) | All customers | Email + website | Certificate copies |
| DPA / contractual updates | When terms change | Jan Marc Castlunger (ISO) | Affected customers | Contract records |
3.2 Regulatory Communications¶
| What | When | From | To | Channel | Record |
|---|---|---|---|---|---|
| GDPR data breach notification | Within 72 hours of awareness | Sebastian Windeck (DPO) | BfDI / State DPA | Official notification portal | Notification record |
| Data subject requests (DSR) | Within 30 days of receipt | Sebastian Windeck (DPO) | Requesting data subject | DSR log | |
| Regulatory inquiries | As received | Sebastian Windeck (DPO) | Requesting authority | Official channels | Correspondence record |
3.3 Supplier Communications¶
| What | When | From | To | Channel | Record |
|---|---|---|---|---|---|
| Security incident involving supplier | Immediately | Jan Marc Castlunger (ISO) | Affected supplier | Support ticket + email | Incident record |
| DPA review / renewal | Annually | Sebastian Windeck (DPO) | Azure, GitHub, Google | Supplier portal | Supplier register |
4. Communication Channels¶
| Channel | Use Case | Availability |
|---|---|---|
| Email (Google Workspace) | Primary internal and external communication | 24/7 |
| Team meetings (video call) | Policy updates, training, audit findings, ISMS reviews | Scheduled |
| Phone / mobile | Emergency escalation (P1 incidents) | 24/7 — see emergency contacts in IRP |
| Status page (app.quick-id.com/health/) | Customer-facing service status | 24/7 automated |
| ISMS documentation site | Policy and procedure publication | 24/7 (Cloudflare Pages) |
| Google Drive | Evidence storage, internal documents | 24/7 |
5. Competence & Awareness (Clause 7.2, 7.3)¶
5.1 Competence¶
The following roles require demonstrated competence in information security:
| Role | Holder | Competence Evidence | Location |
|---|---|---|---|
| ISO | Jan Marc Castlunger | CEO with enterprise SaaS and compliance experience; CV on file | Google Drive > HR > CVs |
| DPO / CTO | Sebastian Windeck | CTO with cloud architecture and security expertise; CV on file | Google Drive > HR > CVs |
| Chief of AI | Malte Toetzke | AI/ML expertise with data governance experience; CV on file | Google Drive > HR > CVs |
Where competence gaps are identified, training or external support is arranged. Training records are maintained in Google Drive > Security > Training.
5.2 Awareness (Clause 7.3)¶
All staff must be aware of:
- The Information Security Policy (POL-001)
- Their contribution to ISMS effectiveness
- The implications of not conforming to ISMS requirements
- The ISMS objectives and their role in achieving them
Awareness is achieved through:
- Annual security awareness training (mandatory for all staff)
- Onboarding security briefing (within first week for new hires)
- Monthly security reminders (email)
- Incident debrief communication (after any P1/P2 incident)
6. Review¶
This communication plan is reviewed annually or when significant changes occur to communication channels, organisational structure, or regulatory requirements.
Approved by: Jan Marc Castlunger (CEO / ISO), CTW Data Solutions GmbH Date: March 2026