In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.5 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.5 Contact with Authorities
ISO 27001 Annex A 5.5 requires organizations to establish and maintain contact with relevant authorities to ensure the appropriate flow of information regarding security incidents, regulatory requirements, and legal obligations. While it may seem like “stating the obvious,” this control is a foundational part of governance. It ensures that when a crisis hits, like a major data breach or a physical fire, your team knows exactly who to call, how to report the issue, and what the legal timelines for notification are.
Core requirements for compliance include:
- Identification of Authorities: You must list all regulatory, legal, and supervisory bodies relevant to your business. This includes data protection regulators (like the ICO in the UK), law enforcement, and utility providers.
- Defined Reporting Processes: You must document how and when these authorities should be contacted. For example, GDPR requires notifying the regulator within 72 hours of a personal data breach.
- Incident Response Integration: Your contact list must be accessible to your incident management and business continuity teams so they can act immediately during an event.
- Regulatory Registration: You must prove that you have registered with mandatory authorities. A common audit failure is forgetting to register as a data controller with your local data protection registrar.
- Continuous Maintenance: The contact list must be reviewed and updated at least annually to ensure the details (phone numbers, web portals, names) remain accurate.
Audit Focus: Auditors will look for “The Emergency Dial”:
- The List: “Show me your documented list of relevant authorities. Why have you included (or excluded) the local cybercrime unit?”
- Legal Registration: “Show me your current registration certificate with the Information Commissioner’s Office (or local equivalent).”
- Process Awareness: “If you suffered a ransomware attack at 2 AM on a Sunday, how does your incident responder find the contact details for your cyber insurance and law enforcement?”
Authority Contact Matrix (Audit Prep):
| Authority Type | Example Entity | Critical Reason to Contact |
| Data Privacy | ICO (UK) / DPC (IE). | Mandatory Personal Data Breach Reporting (GDPR). |
| Law Enforcement | Local Police / Cyber Unit. | Theft of hardware, Fraud, or Ransomware attacks. |
| Utilities | ISP / Power Provider. | Connectivity or power outages affecting “Availability.” |
| Emergency | Fire / Health & Safety. | Physical facility incidents (e.g., Server Room fire). |
| Financial | FCA / SEC / SEC. | Compliance or regulatory breaches (if applicable). |
Table of contents
- Key Takeaways
- What is ISO 27001 Annex A 5.5?
- Watch the ISO 27001 Annex A 5.5 Tutorial
- ISO 27001 Annex A 5.5 Podcast
- ISO 27001 Annex A 5.5 Implementation Guidance
- How to implement ISO 27001 Annex A 5.5
- Contact List Example Table
- How to comply
- How to pass the ISO 27001 Annex A 5.5 audit
- Top 3 ISO 27001 Annex A 5.5 Mistakes and How to Fix Them
- Applicability of ISO 27001 Annex A 5.5 across different business models.
- Fast Track ISO 27001 Annex A 5.5 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.5 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Controls and Attribute Values
Key Takeaways
- ISO 27001 Annex A 5.5 requires organisations to establish and maintain easy contact with authorities for information security matters.
- Businesses must identify and list all relevant authorities, such as regulators and law enforcement, and create a clear process for communication.
- Having a documented list of contacts and communication procedures is crucial for demonstrating compliance and passing a security audit.
What is ISO 27001 Annex A 5.5?
ISO 27001 Annex A 5.5 Contact with Authorities is an ISO 27001 control that requires an organisation to establish and maintain contact with authorities that are relevant to them.
ISO 27001 contact with authorities is the requirement that organisations need to maintain contact with relevant authorities regarding security incidents, complaints, and vulnerabilities.
ISO 27001 Annex A 5.5 Purpose
The purpose of ISO 27001 Annex A 5.5 is to ensure the appropriate flow of information takes place with respect to information security between the organisation and relevant legal, regulatory and supervisory authorities.
ISO 27001 Annex A 5.5 Definition
ISO 27001 defines ISO 27001 Annex A 5.5 as
The organisation should establish and maintain contact with relevant authorities.
ISO 27001 Annex A 5.5 Contact with Authorities
Watch the ISO 27001 Annex A 5.5 Tutorial
In the video ISO 27001 Annex A 5.5 Contact With Authorities Explained I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 5.5 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.5 Contact With Authorities. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.5 Implementation Guidance
You are going to have to ensure that:
- you identify and document what authorities apply to you
- in what circumstances you would contact them
- how information security incidents should be reported if relevant
- understand what expectations these authorities have, if any
- include relevant contact steps in your incident management processes
- include relevant contact steps in your business continuity plan and disaster recovery processes
People often scratch their heads at this one but an easy win is the contact with your data protection regulator that is likely mandated in law. In addition you can consider the likes of utility companies for power and water, health and safety if relevant, fire departments for business continuity and incident management, perhaps your telecoms provider for routing if lines go down.
How to identify the authorities you need to contact
You are going to identify the authorities that you might need to make contact with. If you are in a regulated industry that may be relatively straightforward as there may be regulatory bodies that you might need to make contact with.
If you’re within the European union and GDPR applies to you then you may need to register with your local data protection authority, for example in the UK you have to register with the Information Commissioner’s Office.
The next on the list, is going to be things like the support utilities such as water and power. These are usually things that you’ve identified as part of your Business Continuity management process or you’ve identified as part of your Incident Management process.
Finally, you’ve law enforcement agencies.
How to contact authorities
When it comes to how you’re going to contact them you’re just going to follow whatever process they’ve got. To document that you record their contact process.
It is unlikely for the majority of organisations that you have a special one to one relationship where you have your own bespoke process but in terms of the requirement of the standard you’re going to identify those authorities that you need to make contact with and how you contact them.
How to document contact with authorities
You’re going to list out the authorities that you may need to contact and record their contact details. You may record that how you contact them is via the processes that they have in place. This will be available to your incident management process and part of that process.
Examples of authorities to contact
Examples of authorities that you may need to contact
- Data protection regulator
- Industry Regulatory Bodies
- Government Agencies
- Law Enforcement Agencies
- Power Companies
- Telecoms Companies
- Utility Companies
- Emergency Services
How to implement ISO 27001 Annex A 5.5
Implementing ISO 27001 Annex A 5.5 requires more than a simple list of phone numbers. It demands a formalised governance framework that ensures your organisation can interact with regulatory and legal bodies without delay during a security crisis. By establishing pre-defined communication channels and notification thresholds, you reduce legal exposure and ensure compliance with statutory reporting obligations such as the UK GDPR or sector-specific regulations. This action-focused guide outlines the technical and procedural steps required to satisfy auditor requirements for the 2022 standard.
1. Inventory Statutory and Regulatory Authorities
Identify all legal, regulatory, and supervisory bodies relevant to your jurisdiction and industry sector. This action results in a comprehensive scope of all external entities that may require notification during an information security incident or for regular compliance reporting.
- Identify data protection regulators such as the Information Commissioner Office (ICO) for UK operations.
- Map sector-specific bodies such as the Financial Conduct Authority (FCA) or the National Cyber Security Centre (NCSC).
- Document law enforcement contacts for cybercrime reporting, including local specialist units and national agencies like Action Fraud.
- Review contractual obligations with clients that may mandate specific third-party notification protocols.
2. Formalise Communication Thresholds and Procedures
Establish clear criteria for when and why each authority must be contacted. This result-focused step prevents both under-reporting, which carries legal risk, and over-reporting, which can lead to unnecessary regulatory scrutiny.
- Define notification triggers based on the severity and type of data breach (e.g. personal data loss versus system downtime).
- Align reporting timelines with statutory requirements, such as the 72-hour window mandated by the GDPR.
- Document the “Rules of Engagement” (ROE) for interacting with law enforcement to protect digital evidence integrity.
- Integrate these thresholds directly into your primary Incident Response Plan (IRP).
3. Assign Designated Liaison Roles
Provision specific accountability by naming individuals authorised to communicate with authorities on behalf of the organisation. This action prevents conflicting messages and ensures that all outgoing information is vetted by legal or senior management.
- Assign the Chief Information Security Officer (CISO) or Data Protection Officer (DPO) as the primary point of contact.
- Define deputy roles to ensure continuity of communication during a prolonged incident or staff absence.
- Specify the IAM roles and portal access permissions required for submitting official regulatory filings.
- Establish a formalised internal approval workflow for all official statements before they are transmitted to external bodies.
4. Provision an Authorities Contact Register
Create a centralised and secure register containing validated contact information for all identified authorities. This action results in a single source of truth that allows the incident response team to act immediately when a reporting threshold is triggered.
- Include direct telephone numbers, emergency out-of-hours contacts, and official reporting portal URLs.
- Document specific reference numbers or account IDs required to identify your organisation to the regulator.
- Ensure the register is stored in a location accessible even during a total network outage, such as a physical backup or an offline encrypted drive.
- Cross-reference the register with your Business Continuity Plan (BCP) for high-availability access.
5. Execute Tabletop Exercises and Validation
Perform periodic simulations to test the effectiveness of your authority contact procedures. This result-orientated step provides the evidence needed for ISO 27001 audits and ensures that your team is prepared for real-world scenarios.
- Incorporate authority notification steps into quarterly incident response tabletop exercises.
- Verify the accuracy of contact details in the register every six months and update the audit trail accordingly.
- Review the results of tests to identify gaps in communication or delays in the internal approval process.
- Maintain a log of all simulated and actual contacts with authorities as mandatory audit evidence.
Contact List Example Table
| Type | Authority Name | Reason to Contact | ISO 27001:2022 Control |
|---|---|---|---|
| Data Privacy | ICO (UK) / DPC (IE) | Data Breach (GDPR Reporting). | Annex A 5.5 / 5.34 |
| Law Enforcement | Local Police / Cyber Crime Unit | Theft, Fraud, Ransomware. | Annex A 5.5 |
| Utilities | Power / Water Provider | Service Outage (Business Continuity). | Annex A 5.5 / 5.30 |
| Emergency | Fire Service | Physical site fire. | Annex A 5.5 / 7.1 |
| Financial | FCA / SEC | Compliance breach (if regulated). | Annex A 5.5 / 5.36 |
How to comply
To comply with ISO 27001 Annex A 5.5 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- List the relevant authorities and document your who, how and when you will contact authorities
How to pass the ISO 27001 Annex A 5.5 audit
To pass an audit of ISO 27001 Annex A 5.5 Contact with Authorities you are going to make sure have listed and document the authorities that you contact and show evidence that you contacted them.
What an auditor looks for
The audit is going to check a number of areas for compliance with ISO 27001 Annex A 5.5 Contact with Authorities. Lets go through them:
1. That you have a list of authorities you would contact
What this means is that you need to show that you have a list of authorities that you have considered and are in scope for you.
2. That you have a process to contact them
The process may be straightforward. Many authorities have pre defined ways in which you contact them. Just write them down.
3. That you have contacted authorities
There is not an expectation that you have contacted everyone on your list. It just wont be relevant. But some of those contacts will be mandated in law or regulation, and for those, you should have evidence the contact took place. A simple example would be registering with the data protection supervisory body.
Top 3 ISO 27001 Annex A 5.5 Mistakes and How to Fix Them
In my experience, the top 3 mistakes people make for ISO 27001 Annex A 5.5 Contact with Authorities are:
1. You didn’t register with the Data Protection registrar
Often a legal requirement, make sure you have registered as a data controller or data processor, which ever applies, with the relevant bodies. They will check.
2. You don’t have a list of relevant authorities
You thought it was obvious so didn’t write it down. Wrong. Write it down to show you considered it.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 5.5 across different business models.
| Business Type | Applicability & Interpretation | Examples of Control |
|---|---|---|
| Small Businesses |
Emergency Contacts & Regulators. You don’t need a complex legal team. Compliance means having a simple “Emergency Contact List” that includes your data protection regulator (ICO) and non-emergency police numbers. |
• ICO Registration: Ensuring you have paid your data protection fee and have the ICO helpline saved for breach reporting. |
| Tech Startups |
Breach Reporting (72 Hours). Startups handling user data must know exactly who to call when a breach happens to meet the 72-hour GDPR window. Panic leads to fines; preparation leads to compliance. |
• Incident Playbook: A pre-written script for contacting the regulator (e.g., “We have detected a breach…”) integrated into your Incident Response Plan. |
| AI Companies |
AI Safety & Emerging Regulation. As AI regulation tightens (e.g., EU AI Act), you must maintain contact with new oversight bodies regarding model safety and high-risk classifications. |
• AI Safety Institute: Registering or maintaining contact with national AI safety bodies (UK/US) if developing frontier models. |
Fast Track ISO 27001 Annex A 5.5 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.5 (Contact with authorities), the requirement is to establish and maintain contact with relevant authorities, such as law enforcement, regulators, and utility companies. This ensures that in the event of an incident, the right information flows to the right legal and supervisory bodies.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your legal response plan; if you cancel the subscription, your documented regulatory history and contact logs vanish. | Permanent Assets: Fully editable Word/Excel Authority Contact Lists and Incident Management templates you own forever. | A localized “Contact with Authorities List” stored on your secure drive containing ICO registration and local police details. |
| Operational Utility | Attempts to “automate” contact management via dashboards that cannot verify regulator registration or identify local police jurisdictions. | Governance-First: Provides a “Contact List Example Table” to formalize your existing escalation and emergency relationships. | A “Data Protection Certificate” or regulatory registration number integrated into your formal compliance documentation. |
| Cost Efficiency | Charges a “Regulatory Tax” based on integrated frameworks or contacts, creating perpetual overhead for static legal information. | One-Off Fee: A single payment covers your authority governance whether you track 5 regulatory bodies or 50. | Allocating budget to actual security improvements or legal counsel rather than monthly “dashboard” subscription fees. |
| Strategic Freedom | Mandates rigid reporting formats that often fail to align with lean office setups or specialized industry environments. | 100% Agnostic: Procedures adapt to your operating style—from dedicated legal teams to simple internal escalation lists. | The ability to evolve your legal communication strategy and regulatory footprint without reconfiguring a rigid SaaS module. |
Summary: For Annex A 5.5, the auditor wants to see that you have a formal list of relevant authorities and proof of registration (like a Data Protection Certificate). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.5 FAQ
What is ISO 27001 Annex A 5.5?
ISO 27001 Annex A 5.5 is an organisational control that requires an organisation to establish and maintain appropriate contacts with relevant legal, regulatory, and supervisory authorities.
- Ensures the organisation knows exactly who to contact during a security incident.
- Mandates that contact procedures are formalised and kept up to date.
- Facilitates compliance with statutory requirements for breach reporting.
- Supports proactive situational awareness of the legal and regulatory landscape.
Which authorities should be included in the contact list?
The specific authorities required depend on your industry and location, but typically include law enforcement, data protection regulators, and sector-specific oversight bodies.
- Law enforcement agencies (e.g., Action Fraud or the National Cyber Security Centre in the UK).
- Data protection authorities (e.g., the Information Commissioner’s Office – ICO).
- Regulatory bodies (e.g., the Financial Conduct Authority – FCA).
- Emergency services and local government resilience forums.
Is it mandatory to contact authorities for every incident?
No, you only need to contact authorities when an incident meets specific legal, regulatory, or contractual thresholds defined in your incident response plan.
- Mandatory for personal data breaches that risk individuals’ rights (GDPR).
- Required if the incident involves criminal activity or cyber-extortion.
- Necessary if specific service level agreements (SLAs) with government bodies are breached.
- Consult your internal risk assessment to determine the appropriate escalation path.
What is the difference between Annex A 5.5 and 5.6?
The primary difference is that Annex A 5.5 focuses on legal and regulatory authorities, while Annex A 5.6 focuses on peer groups, security forums, and special interest groups.
- Annex A 5.5 is for compliance, reporting, and official oversight.
- Annex A 5.6 is for knowledge sharing, best practices, and threat intelligence.
- Authorities (5.5) have the power to penalise; Special Interest Groups (5.6) are for collaborative support.
How do you evidence Annex A 5.5 compliance for an auditor?
Auditors look for a documented list of contacts and verifiable evidence that these contacts are reviewed and tested as part of your incident response procedures.
- A formal “Authorities Contact List” included within your ISMS documentation.
- Evidence of periodic reviews (usually annual) to ensure contact details are accurate.
- Logs or minutes from incident response tabletop exercises involving authority notification.
- Documentation of any actual correspondence or reporting made to authorities.
When must you notify the ICO under ISO 27001?
Under ISO 27001 and the UK GDPR, you must notify the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals.
- Notification is required if the breach leads to accidental or unlawful destruction, loss, or disclosure of PII.
- Reporting is mandatory if the data breach involves sensitive “special category” data.
- Initial notification can be made even if the full extent of the breach is not yet known.
Related ISO 27001 Controls
ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities
Further Reading
How to Implement ISO 27001:2022 Annex A 5.5: Contact with Authorities
How to Audit ISO 27001:2022 Annex A 5.5: Contact with Authorities
ISO 27001:2022 Annex A 5.5 for Small Business: Your Emergency Contact List
ISO 27001:2022 Annex A 5.5 for AI Companies: Navigating the Regulatory Web
ISO 27001:2022 Annex A 5.5 for Tech Startups: Who You Gonna Call?
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Identify | Governance | Defence |
| Corrective | Integrity | Protect | Resilience | |
| Availability | Respond | |||
| Recover |
