This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.5.5 Contact with authorities
ISO 27001: 2022 Control Description
The organisation shall establish and maintain contact with relevant authorities.
Purpose
To ensure the appropriate flow of information concerning information security between the organisation and relevant legal, regulatory, and supervisory authorities.
Guidance
The organisation should specify when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner.
Implementation Guidance
Contacts with authorities should also be utilised to facilitate understanding of the current and upcoming expectations of these authorities (e.g., applicable information security regulations). Organisations under attack can request authorities to take action against the source of the attack.
Additional Information
Maintaining such contacts may be necessary to support information security incident management or the contingency planning and business continuity processes.
Contacts with regulatory bodies are also valuable for anticipating and preparing for upcoming changes in relevant laws or regulations that could affect the organisation. Contacts with other authorities might include utilities, emergency services, electricity suppliers, and health and safety agencies [e.g., fire departments (in connection with business continuity), telecommunication providers (in connection with line routing)].