UnixTime

Research Note

ISO 27001 A.5.5 - Contact with Authorities

The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory reques...

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“The organization shall establish and maintain contact with relevant authorities.”

Plain-language meaning

The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory request, or emergency happens.

This is not a generic address book. The control expects clear, current, authorized contact arrangements for the authorities that affect security, compliance, continuity, and incident response.

Why this matters

During a serious incident, wasting time asking “who do we call?” is operational failure. A mature ISMS identifies the relevant authorities in advance, assigns liaison responsibility, defines what can be shared, and tests or reviews the contact process.

Relevant authorities may include:

  • data protection regulators;
  • law enforcement or cybercrime units;
  • sector regulators;
  • national cybersecurity centers or CERT/CSIRT bodies;
  • emergency services;
  • telecom, cloud, or critical infrastructure regulators;
  • professional licensing or industry oversight bodies;
  • contractual or governmental reporting authorities.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Identify relevant authorities

Create an authority contact register based on legal, regulatory, contractual, operational, and incident-response needs.

Context Possible authority
Personal data breach Data protection authority
Cyber extortion or criminal activity Law enforcement or cybercrime unit
Critical service outage Sector regulator or national cyber authority
Safety-related incident Emergency services or safety regulator
Regulated industry Financial, healthcare, telecom, or public-sector regulator
Cross-border operation Authorities in relevant jurisdictions

The list should be driven by Field of Application, Usage, and Compliance, Risk Assessment, Statement of Applicability, and business continuity planning.

2. Assign liaison responsibility

The organization should define who is authorized to contact authorities and who supports them.

Typical roles:

  • primary authority liaison;
  • legal counsel;
  • data protection officer or privacy lead;
  • CISO or security lead;
  • incident manager;
  • communications lead;
  • executive approver.

Do not leave this to ad hoc judgment during a breach. That will fail under pressure.

3. Define contact triggers

For each authority, define when contact is required or appropriate.

Trigger type Example
Legal trigger Mandatory breach notification threshold is met
Incident trigger Ransomware, fraud, data leakage, or major service compromise
Continuity trigger Critical service disruption affects regulated commitments
Time-driven trigger Quarterly or annual relationship check-in
Preparedness trigger Participation in exercises, briefings, or alerts

4. Control what information is shared

Authority contact does not mean uncontrolled disclosure.

Define:

  • who approves external communication;
  • what information may be shared;
  • what must be withheld or redacted;
  • whether legal privilege applies;
  • whether non-disclosure agreements are needed;
  • required reporting formats;
  • recordkeeping requirements.

This connects directly to Information Security Policy, A.5.2 Information Security Roles and Responsibilities, and A.5.4 Management Responsibilities.

5. Maintain and test contact details

Contact details should be reviewed periodically and after relevant changes.

Examples:

  • regulator changes portal or notification address;
  • liaison officer leaves;
  • new jurisdiction becomes in scope;
  • new supplier or sector obligation appears;
  • incident response plan changes;
  • business continuity contacts are updated.

Testing can be simple. For example, confirm portal access, validate emergency numbers, or run a tabletop exercise that includes authority notification.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that authority contacts are:

  • identified based on actual legal, regulatory, operational, and incident-response needs;
  • documented and current;
  • assigned to named roles;
  • linked to incident response, continuity, compliance, and reporting procedures;
  • supported by approval and disclosure rules;
  • known by the people expected to use them.

The auditor may test whether a liaison can explain:

  • which authorities are relevant;
  • when contact is initiated;
  • who approves the contact;
  • what information may be shared;
  • how contact details are maintained;
  • where records of authority communication are kept.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Authority contact register Relevant authorities are identified and maintained
Incident response plan Authority notification is embedded in response workflow
Business continuity and contingency plans Critical external contacts exist for disruption scenarios
Legal and regulatory obligation register Authorities are tied to compliance requirements
Communication approval procedure External information sharing is controlled
Breach notification procedure Mandatory reporting triggers are understood
Contact review records Details are periodically checked
Tabletop exercise records Contact paths are tested
Actual notification records Process works during real events
Liaison role description Responsibility is assigned

Strong evidence

  • Contact register includes authority name, purpose, trigger, owner, backup, contact method, review date, and approval requirements.
  • Incident response playbooks include authority notification decision points.
  • Legal or compliance mapping explains why each authority is relevant.
  • Contact details are reviewed and tested at planned intervals.
  • Liaison personnel can explain when and how to contact authorities.
  • Actual incident records show timely, authorized, documented communication.
  • External disclosures are reviewed by legal, privacy, or authorized management where appropriate.

Weak evidence

  • A static list of phone numbers with no owner or review date.
  • Generic “call regulator if needed” wording.
  • Contact details stored only in one person’s inbox.
  • No backup liaison.
  • No clear approval path for sharing sensitive information.
  • Incident responders do not know who can contact authorities.
  • Authority contacts exist but are not connected to legal obligations or incident procedures.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Authorities identified only after an incident Notification is delayed and chaotic
No authorized liaison Staff may over-disclose, under-disclose, or fail to report
Contact list is stale Contact fails when needed
No link to legal obligations Mandatory notifications can be missed
No disclosure rules Sensitive information may be released improperly
No backup contact owner Process fails when the primary person is unavailable
Contacts exist but are not tested The process may be theoretical

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • “Authorities” does not only mean police. It can include regulators, CERTs, emergency services, sector bodies, and other official authorities.
  • A contact list alone is not enough. The organization needs purpose, ownership, triggers, authorization, and maintenance.
  • Contact with authorities is not only incident-driven. Some relationships may be maintained through periodic engagement or preparedness activity.
  • This control does not authorize uncontrolled information sharing. Disclosure still needs approval and confidentiality handling.
  • Small organizations are not exempt. Their contact set may be smaller, but it still must match their legal and operational context.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.5 requires the organization to establish and maintain contact with relevant authorities. In practice, this means identifying applicable authorities, assigning liaison roles, defining contact triggers, controlling what information can be shared, keeping contact details current, and embedding authority contact into incident response, continuity, and compliance processes.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Authorities
  • Incident response
  • Compliance
  • Audit

Note Metadata

Aliases: A.5.5, Contact with Authorities

Source: 02 Annex A Organizational Controls/A.5.5 Contact with Authorities.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.