ISO 27001 A.5.5: Contact with authorities
What This Control Requires
The organization shall establish and maintain contact with relevant authorities.
In Plain Language
When a major breach happens, you need to know exactly who to call. This control is about having those contacts ready before you need them - law enforcement, regulators, data protection authorities, your national CERT team. This is especially critical for incident response. Under GDPR, you have 72 hours to notify your data protection authority after a personal data breach. Under NIS2, the timelines are even tighter. Scrambling to find the right phone number during a crisis is not a position you want to be in. Which authorities matter depends on your industry, jurisdiction, and the types of data you process. A fintech company has different regulatory contacts than a healthcare provider. If you operate across multiple EU member states, you likely need contacts in each one. The point is to think this through in advance and keep the list current.
How to Implement
Identify all relevant authorities based on your industry, location, and regulatory requirements. Build a contact register that includes the authority name, contact details, the circumstances that would trigger contact, and the internal person responsible for maintaining that relationship. Common authorities to cover: local and national law enforcement for cybercrime reporting, data protection authorities for GDPR breach notifications, sector-specific regulators (financial, healthcare, energy), national cybersecurity agencies and CERT teams, fire and emergency services, health and safety authorities, and relevant standards bodies. Write clear procedures for when and how to contact each authority. Spell out the triggering circumstances, the information to provide, the internal escalation path, and the expected response times. Make sure these align with your legal notification deadlines. Assign specific people as liaison points for each authority. They need to understand the regulatory requirements, have the authority to speak on behalf of the organisation, and maintain the relationship through regular engagement where appropriate. Joining information-sharing organisations or industry groups is a good way to build these connections. Test the procedures as part of your incident response exercises. Keep contact details current and review the register at least annually. Log all interactions with authorities for your audit trail.
Evidence Your Auditor Will Request
- Register of relevant authorities with current contact details
- Documented procedures for contacting authorities in various scenarios
- Records of interactions with authorities including incident reports filed
- Assignment of liaison responsibilities to specific personnel
- Evidence of periodic review and update of authority contact information
Common Mistakes
- No documented list of relevant authorities or their contact details
- Contact details are outdated and have not been verified recently
- No clear procedures for when and how to report incidents to authorities
- Responsibility for authority liaison is not assigned to specific individuals
- Organization is unaware of mandatory reporting obligations in their jurisdiction
Related Controls Across Frameworks
Frequently Asked Questions
Which authorities should we maintain contact with?
How do we maintain these contacts in practice?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment