A detailed comparison between ISO 9001 and 27001
Download our detailed ISO 9001 and 27001 comparison today
.jpg?ext=.jpg)
ISO 27001 and Contact with Authorities
Today’s focus is on ISO 27001:2022 Annex A Control 5.5 Contact with Authorities. If your organization already has an incident response plan, much of this information probably already exists there. The main objective behind this control is to ensure that when an organization needs to contact an authority, there is a process to do so and contact information is readily available.
Here are some examples that a company should include on this list.
Governing Bodies
Does your company operate in a highly regulated industry? If yes, the best practice of maintaining an up-to-date list of the authorities to whom you must report becomes a mandatory. Each regulated industry has its own requirements of agencies or regulatory bodies that must be contacted in the event of a cyber incident. This list and who is designated to call them should be tested at least annually, unless mandated on a different cycle.
Utilities
You may not consider your power company an authority, but companies that provide your utilities should be on the documented list of authorities. While this may appear to be out of scope for your ISMS, utilities are critical elements of your continuity of operations plan and potential disaster recovery plans. If the company experiences a power outage or if the water starts to look brown, the appropriate companies should be alerted immediately. This information should be easy to find, as should clear direction on who will make these calls. All must be documented to comply with control 5.5 of Annex A in ISO 27001:2022.
Law Enforcement
Contacting law enforcement, whether local, state, or federal, is a major event for any organization. Your organization’s plan on what type of incident merits this call, when to contact, who to contact, and who shall contact law enforcement should be clearly documented in the Annex A control 5.5 policy or procedure. Regulated industries usually have a document outlining the “what” type of incident, the when, the who, and by whom that companies can use as the foundation for their plan. Unregulated industries will often follow industry best practices or in many cases their cybersecurity insurance provider will detail the what, when, and who. Regardless of regulated, unregulated, or cybersecurity insurance provider requirements, the plan and decision for contacting law enforcement is an executive level decision
Creating a Process for Contacting Authorities
In emergency situations, everyone wants to do something productive to help the cause. This can actually worsen the situation. Premature, partial, or incomplete reports externally to the organization may have legal, financial, and brand issues well beyond the current situation. Too many or the wrong people engaged in contacting authorities will often make the situation more confusing. Avoid this scenario by following ISO 27001:2022 Annex A control 5.5, which requires companies to create and document processes that will clarify what authorities are necessary for different situations and who bears the responsibility for contacting each authority.
Remember, Contact Information Changes
ISO 27001:2022 is not a “one and done” process. Continuous monitoring, refinement, and improvement are the corner stones of any ISO standard. Part of the continuous monitoring aspect of ISO 27001 is to ensure the contact information for each authority and who has the responsibility (including their backup) remains up to date. There must be a process that documents who should check the contact information and how often.
Where Are You in Your ISO 27001 Compliance Process?
Have you started your journey to ISO 27001 compliance? Are you in the beginning stages of thinking about a compliance journey? Either way, we would be happy to meet with you to answer any questions you might have. We can also have a conversation about when you might be ready for an assessment and put you on the Smithers schedule. Use this link to set a time that works for you: https://calendly.com/robert-mcvay/cybersecurity-initial-engagement