ISO 27001 Annex A Control 5.5

ISO 27001 control 5.5 Contact with authorities

The basics

ISO 27001 control A.5.5 Contact with authorities requires companies to identify relevant authorities and maintain communication with them, in order to handle incidents properly, and to help comply with upcoming laws or regulations. This is important to handle security activities more effectively and avoid paying any fines because of noncompliance.

Documentation

ISO 27001 control A.5.5 Contact with authorities can be documented:

  • For smaller companies by defining in the Statement of Applicability (SoA) who is responsible for the contact with the appropriate authorities (i.e., no separate document is needed).
  • For mid-sized companies by writing the contact with appropriate authorities (e.g., police, fire department, etc.) in an Incident Management Procedure or Disaster Recovery Plan.
  • For larger companies by writing an Emergency Contact Procedure.

These documents are not mandatory, but are recommended.

Implementation

In order to comply with control A.5.5 Contact with authorities, you might implement the following:

  • Technology — the technology to enable communication with authorities (e.g., police, fire department, government agencies, etc.) in most cases will be already available in the company. Companies of all sizes will probably be able to communicate with authorities by using the same communication channels used on daily operations (e.g., e-mails, phones, online meetings, etc.).
  • Organization/processes — you should set up a process for defining who is responsible for the contact with the appropriate authorities and in which situations. You can document those processes through an Incident Management Procedure, Disaster Recovery Plan, or an Emergency Contact Procedure.
  • People — make employees aware of why establishing contact with authorities is needed, and train them on how to define requirements for such contacts.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.5.5 Contact with authorities: if relevant authorities are identified, and communication with them is performed when required.