ISO 27001 Annex A Control 5.6

ISO 27001 control 5.6 Contact with special interest groups

The basics

ISO 27001 control A.5.6 Contact with special interest groups requires companies to identify and maintain communication with relevant groups of people that have access to high-quality security information and have security skills. This is important to receive security information timely, be able to solve problems quickly and build knowledge on information security.

Documentation

ISO 27001 control A.5.6 Contact with special interest groups can be documented:

  • for smaller and mid-sized companies by defining in the Statement of Applicability (SoA) who is responsible for the contact with appropriate groups (i.e., security associations, forums, etc.)
  • for larger companies by writing a Procedure for Contacting With Special Interest Groups

These documents are not mandatory, but are recommended.

Implementation

In order to comply with control A.5.6 Contact with special interest groups you might implement the following:

  • Technology — the technology to enable communication with special interest groups (e.g., suppliers, security forums, security experts, etc.) in most cases will be already available in the company. Companies of all sizes will probably be able to communicate with special interest groups by using the same communication channels used on daily operations (e.g., e-mails, phones, online forums, online meetings, etc.)
  • Organization/processes — you should set up a process for defining who is responsible for the contact with special interest groups, how often, and in which situations. You can document those processes through a Procedure for Contacting With Special Interest Groups
  • People — make employees aware of why establishing contact with special interest groups is needed, and train them on how to define requirements for such contacts.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.5.6 Contact with special interest groups: if special interest groups are identified, and communication with them is performed when required.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.