What is Control 5.5 Contact with Authorities?
Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications. These are the ones found in control 5.5.
Attributes of Control 5.5
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Identify | #Governance | #Defence |
| #Corrective | #Integrity | #Protect | #Resilience | |
| #Availability | #Respond | |||
| #Recover |
What Is The Purpose of Control 5.5?
The purpose of the Control 5.5 is to ensure appropriate flow of information take place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities. An appropriate forum for dialogue and cooperation between the Company and relevant legal, regulatory and supervisory authorities must be in place.
Control 5.5 covers the requirement, purpose and implementation instructions on how to identify and report information security events in a timely way, as well as who and how to contact in the event of an incident.
The objective of control 5.5 is to identify which stakeholders (e.g., law enforcement, regulatory bodies, supervisory authorities) would need to be contacted in the event of a security event. It is important that you have already identified these stakeholders before an incident occurs.
Contact with Authorities means that the organisation should establish and implement informal communication with authorities concerning information security issues, including:
- Ongoing communication with relevant authorities to ensure that the organisation is aware of current threats and vulnerabilities.
- Informing relevant authorities of vulnerabilities discovered in the organisation’s products, services or systems.
- Receiving information from relevant authorities about threats and vulnerabilities.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Is Involved and How to Meet the Requirements
The main objective of control 5.5 is to establish the organisation’s relationship with law enforcement agencies as it relates to managing information security risks.
To meet the requirements for control 5.5, it is expected that if an information security incident is discovered, the organisation should specify when and by which authorities (such as law enforcement, regulatory bodies, and supervisory authorities) should be notified, as well as how identified information security incidents are to be reported in a timely manner.
The exchange of information with authorities should also be used to gain a better knowledge of the existing and forthcoming expectations of these agencies (e.g. applicable information security regulations).
This requirement is designed to ensure that the organisation has a coherent strategy for its relationship with law enforcement agencies and that it has identified the most appropriate point of contact in these agencies.
Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organisation.
Differences between ISO 27002:2013 and ISO 27002:2022
Control 5.5: Contact with authorities is not a new addition in ISO 27002:2022. It is an existing control in the original ISO 27002:2013 with control number 6.1.3. This means that the control number was changed in the new version of ISO 27002.
Apart from changing the control number, the phraseology was changed also. Where control 5.5 states that “The organization should establish and maintain contact with relevant authorities.” Control 6.1.3 states that “Appropriate contacts with relevant authorities should be maintained.”. This change in phraseology is designed to make this control more user friendly.
In the 2022 version, a control purpose was included. This is not available in the 2013 version.
At the same time, while the essence of both controls remain the same, there are subtle variations that differentiate one from another.
Control 5.5 in ISO 27002:2022 further adds that contacts with authorities should also be used to facilitate the understanding about the current and upcoming expectations of these authorities (e.g. applicable information security regulations). This is missing in the 2013 version.
Who Is In Charge Of This Process?
The individual responsible for this role is generally the Information Security Manager.
Other individuals can perform this function, but they must report to the Information Security Manager so that they can maintain oversight of these activities. This maintains a consistent message and ensures a consistent relationship with authorities.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What Do These Changes Mean For You?
When a new certification standard is published, there will usually be a transition time. For the majority of certification cycles there is a transition time of two to three years.
That said, the latest edition of ISO 27002 is definitely essential if you’re intending to deploy an ISMS (and potentially even consider an ISMS certification) and you need to make sure your security measures are up to date.
Among the activities to be carried out are, but are not limited to, the following:
- Purchasing the most recent standard.
- Examine the new standard to see how it has changed. The standard will provide a mapping table that will show how the new standard corresponds to the ISO 27002:2013 standard.
- Conduct a risk analysis as well as a control gap analysis.
Select the controls that are relevant and change your ISMS policies, standards, and other documentation. - Make any necessary changes to your Statement of Applicability.
- You should revise your internal audit programme to reflect the improved controls that you have chosen.
Please see our guide to ISO 27002:2022, where you can discover more about how these changes to control 5.5 will affect your organisation.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
Keeping track of your information security controls is one of the most difficult aspects of implementing an ISMS that is compliant with ISO 27001. But our cloud-based platform makes this easy.
Our cloud-based platform provides you with a robust framework of information security controls so that you can checklist your ISMS process as you go to ensure that it meets the requirements for ISO 27k. Used properly, ISMS. online can assist you in achieving certification with the bare minimum of time and resources.
Get in touch today to book a demo.
