Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“The organization shall establish and maintain contact with relevant authorities.”
Plain-language meaning
The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory request, or emergency happens.
This is not a generic address book. The control expects clear, current, authorized contact arrangements for the authorities that affect security, compliance, continuity, and incident response.
Why this matters
During a serious incident, wasting time asking “who do we call?” is operational failure. A mature ISMS identifies the relevant authorities in advance, assigns liaison responsibility, defines what can be shared, and tests or reviews the contact process.
Relevant authorities may include:
- data protection regulators;
- law enforcement or cybercrime units;
- sector regulators;
- national cybersecurity centers or CERT/CSIRT bodies;
- emergency services;
- telecom, cloud, or critical infrastructure regulators;
- professional licensing or industry oversight bodies;
- contractual or governmental reporting authorities.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Identify relevant authorities
Create an authority contact register based on legal, regulatory, contractual, operational, and incident-response needs.
| Context | Possible authority |
|---|---|
| Personal data breach | Data protection authority |
| Cyber extortion or criminal activity | Law enforcement or cybercrime unit |
| Critical service outage | Sector regulator or national cyber authority |
| Safety-related incident | Emergency services or safety regulator |
| Regulated industry | Financial, healthcare, telecom, or public-sector regulator |
| Cross-border operation | Authorities in relevant jurisdictions |
The list should be driven by Field of Application, Usage, and Compliance, Risk Assessment, Statement of Applicability, and business continuity planning.
2. Assign liaison responsibility
The organization should define who is authorized to contact authorities and who supports them.
Typical roles:
- primary authority liaison;
- legal counsel;
- data protection officer or privacy lead;
- CISO or security lead;
- incident manager;
- communications lead;
- executive approver.
Do not leave this to ad hoc judgment during a breach. That will fail under pressure.
3. Define contact triggers
For each authority, define when contact is required or appropriate.
| Trigger type | Example |
|---|---|
| Legal trigger | Mandatory breach notification threshold is met |
| Incident trigger | Ransomware, fraud, data leakage, or major service compromise |
| Continuity trigger | Critical service disruption affects regulated commitments |
| Time-driven trigger | Quarterly or annual relationship check-in |
| Preparedness trigger | Participation in exercises, briefings, or alerts |
4. Control what information is shared
Authority contact does not mean uncontrolled disclosure.
Define:
- who approves external communication;
- what information may be shared;
- what must be withheld or redacted;
- whether legal privilege applies;
- whether non-disclosure agreements are needed;
- required reporting formats;
- recordkeeping requirements.
This connects directly to Information Security Policy, A.5.2 Information Security Roles and Responsibilities, and A.5.4 Management Responsibilities.
5. Maintain and test contact details
Contact details should be reviewed periodically and after relevant changes.
Examples:
- regulator changes portal or notification address;
- liaison officer leaves;
- new jurisdiction becomes in scope;
- new supplier or sector obligation appears;
- incident response plan changes;
- business continuity contacts are updated.
Testing can be simple. For example, confirm portal access, validate emergency numbers, or run a tabletop exercise that includes authority notification.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that authority contacts are:
- identified based on actual legal, regulatory, operational, and incident-response needs;
- documented and current;
- assigned to named roles;
- linked to incident response, continuity, compliance, and reporting procedures;
- supported by approval and disclosure rules;
- known by the people expected to use them.
The auditor may test whether a liaison can explain:
- which authorities are relevant;
- when contact is initiated;
- who approves the contact;
- what information may be shared;
- how contact details are maintained;
- where records of authority communication are kept.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Authority contact register | Relevant authorities are identified and maintained |
| Incident response plan | Authority notification is embedded in response workflow |
| Business continuity and contingency plans | Critical external contacts exist for disruption scenarios |
| Legal and regulatory obligation register | Authorities are tied to compliance requirements |
| Communication approval procedure | External information sharing is controlled |
| Breach notification procedure | Mandatory reporting triggers are understood |
| Contact review records | Details are periodically checked |
| Tabletop exercise records | Contact paths are tested |
| Actual notification records | Process works during real events |
| Liaison role description | Responsibility is assigned |
Strong evidence
- Contact register includes authority name, purpose, trigger, owner, backup, contact method, review date, and approval requirements.
- Incident response playbooks include authority notification decision points.
- Legal or compliance mapping explains why each authority is relevant.
- Contact details are reviewed and tested at planned intervals.
- Liaison personnel can explain when and how to contact authorities.
- Actual incident records show timely, authorized, documented communication.
- External disclosures are reviewed by legal, privacy, or authorized management where appropriate.
Weak evidence
- A static list of phone numbers with no owner or review date.
- Generic “call regulator if needed” wording.
- Contact details stored only in one person’s inbox.
- No backup liaison.
- No clear approval path for sharing sensitive information.
- Incident responders do not know who can contact authorities.
- Authority contacts exist but are not connected to legal obligations or incident procedures.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Authorities identified only after an incident | Notification is delayed and chaotic |
| No authorized liaison | Staff may over-disclose, under-disclose, or fail to report |
| Contact list is stale | Contact fails when needed |
| No link to legal obligations | Mandatory notifications can be missed |
| No disclosure rules | Sensitive information may be released improperly |
| No backup contact owner | Process fails when the primary person is unavailable |
| Contacts exist but are not tested | The process may be theoretical |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- “Authorities” does not only mean police. It can include regulators, CERTs, emergency services, sector bodies, and other official authorities.
- A contact list alone is not enough. The organization needs purpose, ownership, triggers, authorization, and maintenance.
- Contact with authorities is not only incident-driven. Some relationships may be maintained through periodic engagement or preparedness activity.
- This control does not authorize uncontrolled information sharing. Disclosure still needs approval and confidentiality handling.
- Small organizations are not exempt. Their contact set may be smaller, but it still must match their legal and operational context.
Related controls and concepts
- A.5.1 Policies for Information Security
- A.5.2 Information Security Roles and Responsibilities
- A.5.4 Management Responsibilities
- Risk Assessment
- Statement of Applicability
- Internal Audit
- Management Review
- Field of Application, Usage, and Compliance
- Information Security Management System
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.5 requires the organization to establish and maintain contact with relevant authorities. In practice, this means identifying applicable authorities, assigning liaison roles, defining contact triggers, controlling what information can be shared, keeping contact details current, and embedding authority contact into incident response, continuity, and compliance processes.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Authorities
- Incident response
- Compliance
- Audit
Note Metadata
Aliases: A.5.5, Contact with Authorities
Source: 02 Annex A Organizational Controls/A.5.5 Contact with Authorities.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Field of Application, Usage, and Compliance
- Information Security Management System
- Internal Audit
- Management Review
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.1 - Policies for Information Security
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.4 - Management Responsibilities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- ISO 27001 A.5.7 - Threat Intelligence
- A.5 Organizational Controls MOC
- A.5.5 Audit Evidence Pack
- AQ-ISO27001-A.5.5 Contact with Authorities
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.5 Contact with Authorities
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.5.5 Audit Checklist
- Authority Contact Register
- Template - Corrective Action Tracker
- Template - Evidence Request List
- Annex A Controls MOC