Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001:2022 Annex 5.5: Contact with Government authorities

Annex 5.5 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex 6.1.3.

Annex 5.5 of the ISO 27001:22 standard summarises the requirements, purpose and implementation instructions for identifying and, subsequently, reporting information security events. It also identifies who should be contacted in the event of an incident such as a data breach.

The annex states that an organisation should have a process in place for contacting the appropriate authorities as soon as an incident has been identified, in order to meet legal, regulatory and contractual obligations.

The term “relevant authorities” may relate to the likes of the police and the commissioner’s office. An organisation’s instructions should clearly define which governing body or regulatory authority to contact in the event of a specific incidents. In addition, clear roles and permissions should be allocated to specific personnel who hold the responsibility for sharing data.

Contact with Government authorities: what you need to know

The purpose of Annex 5.5 is to provide an organisation with guidelines to ensure that information security information is shared with the appropriate authorities at the appropriate time and by the appropriate team members in the event of an incident. This is not only important in minimising the damage caused by an incident but also in helping to avoid worst case scenarios in terms of potential fines or punishments in the event of an error.

Should an incident occur, an organisation should have a plan in place for maintaining a dialogue with the authorities and cooperating as required. This strategy for exchanging information and retaining a relationship should be clearly outlined before an incident occurs but it should also be used to work with regulatory bodies to prepare for any future changes in relevant laws or regulations.

What’s changed from ISO 27001:2013?

ISO 27001:2022 Annex A control 5.5 Contact with Government authorities was previously featured under control 6.1.3 of the ISO 27001:2013 standard. Within the 2022 version of the standard, a number of minor changes have been made to update the terminology used to clarify an organisation’s requirements and responsibilities but also make the control more engaging for users.