Register Owner: CISO (internal) and General Counsel (external/regulatory)
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001:2022 cl. 7.4; supports SOC 2 CC2.x and ISO/IEC 42001
The plan required by ISO/IEC 27001:2022 cl. 7.4 — determining the internal and external communications relevant to the ISMS (and AIMS): what is communicated, when, with whom, by whom, and how.

1. Internal communications

WhatAudienceWhen / cadenceBy whomChannel
Policy publication & material changesAll workforceOn approval; re-ack on material changeCISO + CHROVanta acknowledgement; docs site
Security-awareness trainingAll workforceAt hire + annuallyCHRO via VantaVanta training
Security/privacy incident reportingReporter → SecurityImmediately on discoveryAll staffsecurity@neuroscale.ai; Linear
Incident status (P0/P1)Affected internal teamsDuring incidentIncident ManagerWar-room channel
System changes affecting usersAuthorized internal usersBefore/at changeCTO / EngChangelog; internal comms
ISMS/AIMS objectives & review outcomesManagement; control ownersEach management reviewCISOISMS-MR minutes
Risk register / audit findingsControl owners; managementQuarterly + on findingCISORisk register; Linear

2. External communications

WhatAudienceWhenBy whomChannel
Security commitmentsCustomers / prospectsPre-contract; on changeGC / SalesMSA / ToS; Trust Center
Sub-processor changesCustomers≥ 30 days before (or 14 if exigent)GCSubprocessor List subscription
Critical system changesCustomersBefore/at changeCTO / CSStatus page; customer notice
Service availability / statusCustomersReal-time + on incidentCTOStatus page (Better Stack)
Breach / incident notificationCustomers; data subjectsWithout undue delay / per law & contractGCCustomer Communications templates
Regulatory & supervisory-authority reportsRegulators / AGs / DPAsPer statutory deadlineGCAuthority intake; regulatory-correspondence log
AI serious-incident reportsMarket-surveillance / AGPer AI Serious-Incident ReportingGCAuthority mechanism
Privacy notices & AI transparencyPublic / candidatesPublished; kept currentGCPrivacy Notice; AI Transparency
Whistleblower channelWorkforce + third partiesContinuousCEO / VGCGlobaLeaks; Whistleblower Policy

3. Principles

  • Communications use defined, named owners; external regulatory communications route through the General Counsel.
  • Confidential/incident communications follow need-to-know and the Incident Response Policy privilege handling.
  • The authoritative cadence for any recurring communication is the source policy/procedure; this plan indexes them.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0June 13, 2026Initial information security communication plan.Cameron WolfeIshan Jadhwani