Annex A 5.5 - Contact With Authorities

Title of Control: Contact with Authorities

Introduction (what is it?): This control highlights the necessity for organizations to establish and maintain communication with relevant legal, regulatory, supervisory, and emergency authorities. It emphasizes the importance of facilitating the flow of information concerning information security between the organization and these authorities.

What is the purpose of it? The purpose of this control is to ensure that the organization maintains effective communication channels with relevant authorities. This communication ensures timely reporting of information security incidents, compliance with legal and regulatory requirements, and anticipates changes that might affect the organization's security practices.

What are the benefits of meeting these requirements? Meeting these requirements offers several benefits:

• Timely Reporting: Effective communication allows for the timely reporting of information security incidents to appropriate authorities.

• Compliance: Maintaining contact with regulatory bodies supports compliance with applicable information security regulations.

• Preparedness: Contacts with authorities help organizations anticipate and prepare for upcoming changes in laws or regulations.

• Support during Attacks: Organizations under attack can request authorities to take action against the source of the attack.

• Incident Management: Contacts with authorities are crucial for effective information security incident management.

• Business Continuity: Communication with emergency services and utility providers aids in business continuity and disaster recovery planning.

How difficult is this control to meet? The difficulty of meeting this control depends on the organization's industry, size, and regulatory landscape. Establishing and maintaining contacts with relevant authorities can involve legal considerations and coordination efforts. However, with proper planning, organizations can effectively establish these channels of communication.

What are the sub-requirements?

1. Specify when and by whom relevant authorities (law enforcement, regulatory bodies, supervisory authorities) should be contacted.

2. Define the process for reporting identified information security incidents to authorities in a timely manner.

3. Leverage contacts with authorities to stay informed about current and upcoming information security expectations, regulations, and changes.

4. Contacts with authorities can support incident management, contingency planning, and business continuity efforts.

5. Establish contacts with other relevant authorities such as utilities, emergency services, electricity suppliers, and health and safety departments.

Other information:

• Maintaining contact with authorities is crucial for organizations to receive support during security incidents and to anticipate legal and regulatory changes.

• Contacts with utility providers and emergency services are important for disaster recovery and business continuity planning.

In conclusion, this control emphasizes the significance of establishing and maintaining communication channels with relevant authorities to ensure effective incident response, compliance, and preparedness for legal and regulatory changes. It plays a vital role in information security incident management and business continuity planning.