A detailed comparison between ISO 9001 and 27001
Download our detailed ISO 9001 and 27001 comparison today
.jpg?ext=.jpg)
Special Interest Groups and ISO 27001
Welcome back to our deep dive into ISO 27001:2022 Annex A controls. This post focuses on 5.6, Contact with Special Interest Groups.
You may be surprised to see an ISO 27001 control mentioning special interest groups. Most likely, a politically-focused organization comes to mind when you hear special interest groups. ISO 27001 defines this term a little differently, it is for security forums and professional associations such as Apple Developer Forums, cybersecurity forums, Microsoft Developer Forums, etc.
Why Include Special Interest Groups in ISO 27001:2022?
Why does ISO 27001 stress contacting these groups? How does this relate to cybersecurity or information security? Here are three key reasons:
-
Engaging with these special interest groups indicates your organization’s commitment to being up-to-date on information security and industry standards.
-
Networking with external organizations enables access to early warnings and advisories pertaining to attacks and vulnerabilities.
-
Outside groups offer a fresh perspective when you experience issues.
Documentation for Annex A 5.6
As always, documentation for ISO 27001:2022 is an integral part of the compliance process. In regard to 5.6, the following items should appear in your documentation.
- Which groups are you networking with and what information is exchanged with your contacts?
- How often do you exchange information with these groups? This documentation can include data about how often you receive newsletters/e-newsletters from the group or how often you attend live events.
- How the information flows between your organizations.
You are Never Done with Annex A 5.6
Compliance with ISO 27001:2022 is not a “one and done” event. Someone in your organization needs to keep abreast of new groups or sub-groups, and as new groups arise must decide whether that group can contribute to the exchange of information. Additionally, engagement with these special interest groups needs to be ongoing and should be reviewed for relevance on a regular basis. As methodologies evolve, documentation must evolve as well.
Questions?
If you are struggling to understand how or why to comply with this control, let us know. If you have questions about the ISO 27001 standard in general or your specific compliance journey, feel free to schedule a no-obligation meeting with us. Use this link to schedule a time convenient for you.