Purpose
This procedure defines what, when, with whom, who, and how Maelstrom AI communicates regarding information security matters. It is designed to address the requirements of ISO 27001:2022 Clause 7.4 (Communication).
Scope
Applies to all internal and external communications related to the ISMS, including:
- Policy and procedure changes
- Security incidents and breaches
- Risk assessment and audit outcomes
- Training requirements
- Supplier and regulatory communications
Communication Matrix
The following matrix defines the required ISMS communications.
| Topic | What is Communicated | When | With Whom | Who Communicates | Channel / How |
|---|---|---|---|---|---|
| ISMS policy changes | Updated policies, new requirements, changed responsibilities | Annual review or upon ad-hoc change | All team members | ISMS Owner | Email notification + published documentation on maelstrom.au/trust |
| Security incidents | Incident details, impact assessment, response actions, lessons learned | Upon detection and throughout response | Affected parties, management, and (if required) regulators | Security Lead | Signal (urgent) + email (formal record) |
| Risk assessment results | Updated risk register, new or changed risks, treatment plan status | Quarterly | Management | Security Lead | Management review meeting + written report |
| Audit findings | Nonconformities, observations, corrective action requirements | After each internal or external audit | Management, auditees | Lead Auditor | Formal audit report distributed via email |
| Data breach notification (Australian) | Nature of breach, information involved, response actions, contact details | As soon as practicable after becoming aware of an eligible data breach under the NDB scheme | Office of the Australian Information Commissioner (OAIC) + affected individuals | ISMS Owner | Formal notification per Notifiable Data Breaches (NDB) scheme |
| GDPR breach notification | Nature of breach, categories of data, likely consequences, measures taken | Within 72 hours of awareness (per GDPR Article 33) | Relevant Data Protection Authority (DPA) | ISMS Owner | Formal notification per GDPR Article 33 |
| Management review outcomes | Decisions, action items, resource requirements, improvement plans | After each management review | All team members | ISMS Owner | Meeting minutes + action item tracking |
| Training requirements | Required training, deadlines, completion status | Onboarding + annually | All team members | Security Lead | Email notification + training platform |
| Supplier security updates | Security requirements, assessment results, policy changes affecting suppliers | As needed | Relevant suppliers | ISMS Owner | |
| External security advisories | Vulnerability details, affected systems, required actions | As received and assessed | Affected teams | Security Lead | Signal (urgent) + email |
Communication Channels
Internal Channels
| Channel | Use Case | Sensitivity Level |
|---|---|---|
| Formal notifications, policy distribution, training reminders, audit reports | General ISMS communications | |
| Signal | Urgent security communications, incident coordination, sensitive discussions | Sensitive and time-critical |
| GitHub Issues and PRs | Development-related security discussions, code review, change management | Technical and operational |
| Management review meetings | Strategic decisions, risk acceptance, resource allocation | Management-level |
External Channels
| Channel | Use Case | Authorisation Required |
|---|---|---|
| Published documentation (maelstrom.au/trust) | Public ISMS policies and procedures | ISMS Owner approval via PR |
| Formal notification (OAIC, DPA) | Breach notifications per NDB scheme or GDPR | ISMS Owner approval before sending |
| Email (suppliers) | Supplier security communications | ISMS Owner approval |
| Email (security@maelstrom.au) | Inbound security reports, vulnerability disclosures | Monitored by Security Lead |
| Email (privacy@maelstrom.au) | Inbound privacy enquiries and complaints | Monitored by ISMS Owner |
External Communication Protocol
All external communications related to information security require ISMS Owner approval before sending. This applies to:
- Regulatory notifications (OAIC, DPAs)
- Responses to external security enquiries
- Security-related statements to customers or partners
- Vulnerability disclosure communications
- Supplier security assessments and requirements
Contact Points
| Address | Purpose | Monitored By |
|---|---|---|
| privacy@maelstrom.au | Privacy enquiries, data subject requests, privacy complaints | ISMS Owner |
| security@maelstrom.au | Security vulnerability reports, security enquiries | Security Lead |
Inbound Security Reports
When a security vulnerability report is received at security@maelstrom.au:
- Security Lead acknowledges receipt within 2 business days
- Security Lead assesses the report and triages
- If valid, follow the Incident Response Procedure
- Communicate resolution to the reporter once fixed
Breach Notification Process
Australian NDB Scheme
When an eligible data breach is identified:
- Security Lead assesses whether the breach is likely to result in serious harm
- If serious harm is likely, ISMS Owner is notified immediately
- ISMS Owner prepares notification to the OAIC as soon as practicable after the assessment is complete
- Affected individuals are notified as soon as practicable
- Notification includes: nature of breach, information involved, steps taken, recommended actions for individuals, contact details
GDPR (where applicable)
When personal data of EU/EEA residents is involved:
- ISMS Owner determines the relevant Data Protection Authority
- Notification submitted within 72 hours per Article 33
- Notification includes: nature of breach, categories and approximate number of data subjects, likely consequences, measures taken or proposed
- If notification cannot be made within 72 hours, reasons for delay are documented
Communication Records
Records of ISMS communications are retained as follows:
- Email notifications. Retained in email system
- Signal messages. Retained per device settings (incident-related messages summarised in incident records)
- Meeting minutes. Stored in management review records
- Audit reports. Retained per Internal Audit Program
- Breach notifications. Retained for a minimum of 3 years
- PR review discussions. Retained in Git history
All communication records are available for audit review.
Related Documents
- Incident Response Procedure - Communication during incidents
- Management Review - Management-level communication
- Document Control Procedure - Publication and distribution of documents
- Privacy Complaints Procedure - Handling privacy-related communications
- Roles and Responsibilities - Who is responsible for each communication type
Document Information
- Version. 1.0
- Effective Date. 2026-02-13
- Owner. ISMS Owner
- Review Frequency. Annually
- Next Review. 2027-02-13
- Classification. Public