Contact with Authorities
Plain English Translation
ISO 27001 A.5.5 requires organizations to identify and maintain up-to-date contact information for relevant legal, regulatory, and supervisory bodies. This ensures that in the event of a significant security incident or data breach, the organization can immediately reach out to law enforcement or data protection authorities as required by law, without wasting time searching for the correct channels.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Identify local law enforcement and primary data protection regulator
- Add emergency contact numbers to the Incident Response Plan
Required Actions (scaleup)
- Create a dedicated Authority Contact Register for multiple jurisdictions
- Establish relationships with industry-specific regulators (e.g., financial)
Required Actions (enterprise)
- Conduct tabletop exercises involving mock reporting to authorities
- Automate updates to the regulatory contact list via compliance tools
It is an organizational control requiring the maintenance of contact information for relevant legal, regulatory, and supervisory bodies to ensure timely communication during incidents.
Relevant authorities include law enforcement agencies, data protection authorities (like the ICO or CNIL), supervisory bodies, and potentially fire or emergency services.
Identify the relevant bodies based on your jurisdiction and industry, document their contact details (phone, email, portals) in your Incident Response Plan, and verify them periodically. WatchDog Security's Compliance Center can assign ownership for these reviews and surface gaps when contact verification is missed.
Previously control A.6.1.1 in the 2013 version, it was renumbered to A.5.5 and categorized under 'Organizational controls' in 2022, though the core requirement remains similar.
Authorities should be contacted when a legal or regulatory obligation arises (such as a personal data breach) or when law enforcement assistance is needed for criminal activity.
Auditors expect to see an up-to-date contact list within your Incident Response Plan and, if applicable, evidence of communication (logs, emails) regarding past incidents. WatchDog Security's Secure File Sharing can provide an auditable trail for shared incident reports and correspondence while keeping access tightly controlled.
Share only the information strictly required by law or necessary for the investigation, ensuring you do not disclose excessive sensitive internal data unless mandated. WatchDog Security's Secure File Sharing can help enforce least-privilege access and produce audit logs showing exactly what was shared and when.
This depends on the location of your organization and data subjects; examples include the ICO in the UK, DPC in Ireland, or specific state regulators in the US.
Authority contact lists tend to go stale because ownership is unclear and updates happen reactively after an incident. WatchDog Security's Compliance Center can track the Authority Contact Register as a required evidence item with review reminders and gap detection, helping teams document periodic verification and avoid last-minute scrambling during a reportable event.
During incidents, teams need an evidence trail that shows what was reported, when, and by whom, but they also need tight control over sensitive attachments and access. WatchDog Security's Secure File Sharing can help share breach reports and supporting files with time-bound access, TOTP verification, and audit logs so you can demonstrate controlled disclosure while preserving an investigation-ready record.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-17 | WatchDog Security GRC Team | Initial publication |
