ISO27001 – Control 5.5 – Contact with Authorities


The organization should establish and maintain contact with relevant authorities.

What this means

The aim of this control is to ensure an open dialogue with regard to information security and incidents between the organisation and relevant legal, regulatory, and supervisory authorities.

This means the organization should:

  1. Identify the proper authorities to contact about information security issues. This could include law enforcement, regulatory agencies, supervisory bodies, etc.
  2. List the proper authorities, usually in your interested parties policy.
  3. Decide who within the organization is responsible for making contact with the authorities and under what circumstances.
  4. Have a process in place to report any identified security incidents to the relevant authorities in a timely manner.

The reason for this is twofold:

  1. To ensure information flows properly between the organization and the authorities regarding security matters. The authorities need to know what’s happening.
  2. To understand what rules, regulations and expectations the authorities currently have or will have related to information security that the organization must follow.


  • If the organization is under attack, they can ask the authorities to take action against the attacker.
  • Maintaining these authority contacts helps with incident response and business continuity planning.
  • Talking to regulatory bodies allows the organization to prepare for any upcoming legal/regulatory changes that impact them.
  • Other authorities like utilities, emergency services, etc. should also be contactable for aspects like business continuity.

Examples of authorities that should be considered are Government, local government, fire, flood, emergency services, regulators.

If you want to talk about information security in your organisation then please book a free call here or email us here