All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base
Company Security and customers first
About News Partners Careers Contact

ISO 27001:2022 Annex 5.5: Contact with Government authorities

Annex 5.5 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex 6.1.3.

Annex 5.5 of the ISO 27001:22 standard summarises the requirements, purpose and implementation instructions for identifying and, subsequently, reporting information security events. It also identifies who should be contacted in the event of an incident such as a data breach.

The annex states that an organisation should have a process in place for contacting the appropriate authorities as soon as an incident has been identified, in order to meet legal, regulatory and contractual obligations.

The term “relevant authorities” may relate to the likes of the police and the commissioner’s office. An organisation’s instructions should clearly define which governing body or regulatory authority to contact in the event of a specific incidents. In addition, clear roles and permissions should be allocated to specific personnel who hold the responsibility for sharing data.

Contact with Government authorities: what you need to know

The purpose of Annex 5.5 is to provide an organisation with guidelines to ensure that information security information is shared with the appropriate authorities at the appropriate time and by the appropriate team members in the event of an incident. This is not only important in minimising the damage caused by an incident but also in helping to avoid worst case scenarios in terms of potential fines or punishments in the event of an error.

Should an incident occur, an organisation should have a plan in place for maintaining a dialogue with the authorities and cooperating as required. This strategy for exchanging information and retaining a relationship should be clearly outlined before an incident occurs but it should also be used to work with regulatory bodies to prepare for any future changes in relevant laws or regulations.

What’s changed from ISO 27001:2013?

ISO 27001:2022 Annex A control 5.5 Contact with Government authorities was previously featured under control 6.1.3 of the ISO 27001:2013 standard. Within the 2022 version of the standard, a number of minor changes have been made to update the terminology used to clarify an organisation’s requirements and responsibilities but also make the control more engaging for users.