What is ISO 27001 Contact with Authorities?

Contact with Authorities is the formalised governance process ensuring timely, accurate communication with regulatory bodies and law enforcement during security events. The Primary Implementation Requirement involves maintaining an up-to-date statutory register under Annex A 5.5, delivering the Business Benefit of reduced legal liability and forensic readiness.

What is Contact with Authorities?

Having a plan for talking to outside groups like the police or government agencies. This helps your company know what to do if there’s a security problem. It ensures you share the right information with the right people at the right time.

Examples

Cybercrime: If hackers steal customer data, your company must report the crime to the police and cybersecurity authorities.
Data Breach: In many countries, a business must tell a government data office about a data breach.
Emergency: Your business needs to know who to call if a cyberattack affects public safety, like a power outage.

Context

This control is about being prepared. It’s not just about reacting to a bad event; it’s about having a clear process in place before one happens. By having a plan, your organisation can act quickly and correctly. This protects your reputation, avoids legal trouble, and helps authorities do their job.

How to implement Contact with Authorities

Implementing a robust framework for contact with authorities is a mandatory requirement under ISO 27001 Annex A 5.5, ensuring that your organisation can respond to security incidents and legal mandates with technical precision. As a Lead Auditor, I look for a systematic approach that manages communication with regulatory bodies, law enforcement, and emergency services without compromising internal security. Following this 10-step roadmap will result in a formalised communication architecture that satisfies compliance requirements and protects the organisation’s legal interests during a crisis.

1. Provision a Regulatory and Statutory Register

Provision a comprehensive list of all relevant authorities: Identify 100 per cent of the regulatory bodies, such as the Information Commissioner’s Office (ICO), resulting in a clear directory of who must be contacted during specific security events.

2. Formalise Authority Contact Roles and Responsibilities

Formalise designated liaison officers within the ISMS: Assign specific staff members as primary points of contact for authorities, resulting in controlled communication channels that prevent unauthorised or inconsistent information disclosure.

3. Document Authority Rules of Engagement (ROE)

Document the Rules of Engagement for authority interactions: Establish granular protocols for when, how, and why an authority should be contacted, resulting in standardised technical conduct that aligns with ISO 27001 Annex A 5.5.

4. Provision a Secure Communication Asset Register

Provision a dedicated inventory of communication tools: Identify the secure phones, encrypted email accounts, and portals used for authority liaison, resulting in the technical readiness to share sensitive incident data securely.

5. Formalise Incident Reporting Thresholds

Formalise the criteria for authority notification: Define the technical and legal triggers, such as a UK GDPR data breach exceeding specific risk levels, resulting in timely reporting that satisfies statutory obligations.

6. Audit Evidence Collection and Chain of Custody

Audit the procedures for preparing evidence for authorities: Ensure that 100 per cent of digital evidence is collected using forensic standards, resulting in citable proof that remains admissible in legal proceedings or regulatory investigations.

7. Enforce Information Disclosure Controls

Enforce strict data filtering before authority transmission: Review 100 per cent of information against internal confidentiality policies, resulting in the protection of sensitive intellectual property not required by the authority mandate.

8. Provision an Authority Contact Log

Provision a central register for all authority interactions: Record every outgoing report and incoming request, including timestamps and responder IDs, resulting in an immutable audit trail for ISO 27001 certification audits.

9. Revoke Outdated Authority Access

Revoke legacy portal credentials and contact permissions: Update authority liaison lists immediately upon personnel changes, resulting in a reduced risk of unauthorised individuals representing the organisation to regulators.

10. Audit the Communication Framework Regularly

Audit the authority contact process via internal assessments: Test the liaison protocols at least annually through simulated incident drills, resulting in a documented corrective action plan that ensures continuous improvement of the ISMS.

Contact with Authorities FAQ

What is contact with authorities in the context of ISO 27001?

Contact with authorities is a mandatory security control ensuring organisations maintain appropriate liaisons with relevant government agencies, law enforcement, and regulatory bodies. Under ISO 27001 Annex A 5.5, organisations must define 100% of their reporting channels to ensure timely notification of security incidents, legal compliance, and forensic cooperation during data breaches.

Which authorities must be notified during an information security incident?

Organisations must notify authorities based on the nature of the breach and jurisdictional laws. Essential contacts typically include:

Information Commissioner’s Office (ICO): Mandatory for UK GDPR breaches within 72 hours.
Law Enforcement: Contacted for cybercrimes involving 100% intentional malicious access or theft.
National Cyber Security Centre (NCSC): For reporting significant national-level technical threats.
Industry Regulators: Specific bodies like the FCA or Ofcom depending on the business sector.

Why is formal liaison with authorities important for ISMS compliance?

Formal liaison is critical because it reduces legal liability and ensures the organisation remains compliant with statutory obligations. Statistics show that organisations with pre-established contact protocols reduce incident response costs by approximately 35% and avoid 100% of fines associated with late mandatory data breach notifications under UK GDPR.

What are the technical requirements for managing contact with authorities?

To satisfy ISO 27001 Annex A 5.5, organisations must provision technical capabilities including:

Secure Communication Channels: Encrypted portals or lines for sharing sensitive incident data.
Immutable Audit Logs: Recording 100% of interactions with authorities for forensic verification.
Statutory Register: A regularly updated technical asset register of all regulatory reporting thresholds.

How often should authority contact details be reviewed?

Authority contact details must be reviewed at least annually or immediately following a change in legislation or personnel. Continuous monitoring ensures that 100% of contact points remain valid, preventing critical delays during a live security event. Failure to maintain accurate liaison records is a common cause of minor non-conformities during Lead Auditor surveillance visits.

Relevant ISO 27001 Controls

The following controls from the ISO/IEC 27001:2022 standard are related to contact with authorities:

Related ISO 27001 Control	Relationship Description
ISO 27001 Annex A 5.5: Contact with Authorities	Core Requirement: The primary control that mandates organizations maintain a list of relevant authorities and establish procedures for when and how to contact them.
ISO 27001 Annex A 5.6: Contact with Special Interest Groups	Information Sharing: While 5.5 is for formal/legal reporting, 5.6 focuses on sharing knowledge and threat intelligence with security forums and professional bodies.
ISO 27001 Annex A 5.26: Response to Incidents	Trigger Mechanism: Contact with authorities is usually a critical step within the incident response lifecycle, especially when a breach meets legal notification thresholds.
ISO 27001 Annex A 5.35: Independent Review	Verification: Independent auditors or reviewers may check if the communication plans and contact lists for authorities are up-to-date and effective.
Glossary: Breach	Reporting Event: A data breach is the most common reason an organization would be legally required to initiate contact with a government data office or law enforcement.
Glossary: Compliance	Regulatory Goal: Reporting to authorities is often a mandatory compliance requirement (e.g., under GDPR or local laws) to avoid fines and legal penalties.
Glossary: Collection of Evidence	Supportive Process: Evidence collected during an investigation must be properly preserved to be shared with authorities during criminal or regulatory proceedings.
ISO 27001 Glossary of Terms (Main Index)	Parent Directory: The central index where Contact with Authorities is categorized as a key organizational control.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.