What is Contact with Authorities?
Having a plan for talking to outside groups like the police or government agencies. This helps your company know what to do if there’s a security problem. It ensures you share the right information with the right people at the right time.
Examples
- Cybercrime: If hackers steal customer data, your company must report the crime to the police and cybersecurity authorities.
- Data Breach: In many countries, a business must tell a government data office about a data breach.
- Emergency: Your business needs to know who to call if a cyberattack affects public safety, like a power outage.
Context
This control is about being prepared. It’s not just about reacting to a bad event; it’s about having a clear process in place before one happens. By having a plan, your organisation can act quickly and correctly. This protects your reputation, avoids legal trouble, and helps authorities do their job.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to contact with authorities:
- ISO 27001:2022 Annex A 5.5 Contact With Authorities: This is the main control about communicating with authorities. It’s a key part of the ISO 27001 standard.
- ISO 27001:2022 Annex A 5.6 Contact With Special Interest Groups This control is about talking to other groups that care about information security. This is different from authorities but also helps your organisation stay informed.
- ISO 27001:2022 Annex A 5.35 Independent Review Of Information Security This control ensures an outside expert looks at your security plan. They might check if your plan for talking to authorities is good enough.