1. Framework FAQs

ISO 27001: 2022 A.5.5 Contact with authorities

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.5.5 Contact with authorities

ISO 27001: 2022 Control Description

The organisation shall establish and maintain contact with relevant  authorities.

Purpose

To ensure the appropriate flow of information concerning information security between the organisation and relevant legal, regulatory, and supervisory authorities.

Guidance

The organisation should specify when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner.

Implementation Guidance

Contacts with authorities should also be utilised to facilitate understanding of the current and upcoming expectations of these authorities (e.g., applicable information security regulations). Organisations under attack can request authorities to take action against the source of the attack.

Additional Information

Maintaining such contacts may be necessary to support information security incident management or the contingency planning and business continuity processes.

Contacts with regulatory bodies are also valuable for anticipating and preparing for upcoming changes in relevant laws or regulations that could affect the organisation. Contacts with other authorities might include utilities, emergency services, electricity suppliers, and health and safety agencies [e.g., fire departments (in connection with business continuity), telecommunication providers (in connection with line routing)].