ISO 27001 Annex A 5.5 is about a company keeping in touch with important authorities. The main goal is to make sure information about security flows the right way between the company and groups like law enforcement or government bodies. This helps a company stay safe and follow the law.
What is ISO 27001 Annex A 5.5 Contact With Authorities?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled ” Contact With Authorities”.
What is the ISO 27001 Annex A 5.5 control objective?
The formal definition and control objective in the standard is: “The organisation should establish and maintain contact with relevant authorities.“
What is the purpose of ISO 27001 Annex A 5.5?
The purpose of ISO 27001 Annex A 5.5 is “To ensure the appropriate flow of information takes place with respect to information security between the organisation and relevant legal, regulatory and supervisory authorities.”
Is ISO 27001 Annex A 5.5 Mandatory?
ISO 27001 Annex A control 5.5 (Contact With Authorities in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.5 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
- Make a List: Write down a list of all the authorities they might need to talk to. This could be utility companies, the police, fire departments, or groups that watch over data privacy.
- Know When to Call: Figure out when to contact these groups. This is often during a security event or when they have to follow a new rule.
- Create a Plan: Have a clear plan for how to contact each group. This plan should be part of their main security and disaster plans.
- Keep it Current: Make sure the list of contacts is always up to date.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
- A list of authorities you might contact.
- A plan on how you would contact authorities.
- They might also check to see if you have contacted them in the past when needed.
You can learn more about Contact With Authorities and ISO 27001 by watching this video: ISO 27001 Annex A 5.5 Contact With Authorities Explained.
