If you are preparing for an internal audit or transitioning your Information Security Management System (ISMS) to the latest standards, you have likely noticed that the landscape has shifted. One specific area that requires a closer look is how your organisation interacts with the outside world—specifically, government bodies and regulators. This brings us to the transition from the 2013 version to the updated ISO 27001:2022 Annex A 5.5, “Contact with Authorities.”
Auditing this control isn’t just about checking a phone list anymore. It’s about ensuring your organisation has a functional, documented, and resilient process for external communication during a crisis. Let’s break down what has changed and how you can audit it effectively.
Table of contents
The Shift from A.6.1.1 to 5.5
In the older ISO 27001:2013 standard, this requirement was found under Control A.6.1.1. It was relatively straightforward, focusing on maintaining appropriate contacts with relevant authorities. However, the 2022 update has rebranded and renumbered this as Control 5.5.
The core change isn’t just the number; it’s the context. While the 2013 version was often treated as a “static” list of contact details, the 2022 version places a much heavier emphasis on the process of engagement. According to Hightable.io, the update reflects a more modern approach to governance, ensuring that when an incident occurs, the right people know exactly who to call, why they are calling them, and how to do it securely.
What an Auditor Needs to Look For
When you are auditing Annex A 5.5, you are essentially looking for evidence of preparedness. The standard requires that the organisation maintains contacts with relevant authorities, such as law enforcement, regulatory bodies, and government agencies. Here is what should be on your audit checklist:
1. The Contact Register: Does the organisation have a list of relevant authorities? This list shouldn’t just be a generic “Police” or “Regulator” entry. It should include specific agencies relevant to your industry and jurisdiction, such as data protection authorities (like the ICO in the UK) or industry-specific regulators.
2. Defined Responsibilities: An auditor will want to see who is authorised to make these contacts. If everyone in the office thinks it is someone else’s job to report a data breach to the authorities, then the control is failing. You need to see clear roles and responsibilities defined within your policies.
3. Communication Procedures: It is no longer enough to just have a name and number. The audit should verify that there is a procedure for when and how these authorities are contacted. This is especially vital during an information security incident where timing can be a legal requirement.
Key Differences in the 2022 Version
One of the most notable changes in the 2022 version is the alignment with modern cybersecurity concepts. Control 5.5 is now categorised under “Organisational Controls” rather than “General.” It also includes specific attributes that help you understand its purpose: it is primarily a Corrective and Preventive control.
As Hightable.io points out, the 2022 version is much more focused on the speed and appropriateness of the reaction. In an audit, you should check if the organisation has considered the legal and regulatory requirements for reporting. For example, if you suffer a breach, do you know the specific timeframe required by law to notify the authorities? If that isn’t documented, you aren’t fully compliant with the spirit of the 2022 update.
How to Evidence Compliance During an Audit
To pass an audit for Annex A 5.5, you need “tangible” evidence. You cannot simply tell an auditor that you know who to call. You should be prepared to show:
- An up-to-date contact list that is reviewed at regular intervals (usually annually).
- Incident response plans that specifically trigger a “Contact Authorities” step.
- Records of any past interactions with authorities, showing that the process was followed (if applicable).
- Documented evidence of identifying which specific laws or regulations require you to contact certain authorities.
Common Pitfalls to Avoid
The most common mistake auditors find when looking at the transition from 2013 to 2022 is the “Set and Forget” list. Many organisations created a contact list in 2014 and haven’t looked at it since. People leave jobs, agencies change names, and new regulations (like GDPR or NIS2) create new reporting obligations.
Another pitfall is failing to specify which authority to contact for which incident. Calling the local police for a minor software glitch is unnecessary, but failing to call the national cyber security centre for a ransomware attack is a major failure. Your audit should confirm that your team knows the difference.
The Final Verdict on Auditing 5.5
The move to ISO 27001:2022 Annex A 5.5 is about turning a passive list into an active capability. It demands that management takes a proactive role in understanding their external environment. By auditing the process, the roles, and the regulatory requirements—rather than just the phone numbers—you ensure that the organisation is truly ready for the complexities of modern information security.
For a deeper dive into the specific documentation needed to satisfy these requirements, resources like Hightable.io provide excellent templates and guidance to ensure your implementation stands up to the scrutiny of any external auditor.