ISO 27002:2022, Control 5.5 – Contact with Authorities

ISO 27002:2022 Revised Controls

Book a demo

bottom,view,of,modern,skyscrapers,in,business,district,against,blue

The ISO 27002:2022 control 5.5 specifies that an organisation is to establish and maintain a process for contact with the appropriate authorities in accordance with the legal, regulatory and contractual requirements in which the organisation operates.

What is Control 5.5 Contact with Authorities?

Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications. These are the ones found in control 5.5.

Attributes Table

Control TypeInformation Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventive #Corrective#Confidentiality #Integrity #Availability#Identify #Protect #Respond #Recover#Governance#Defence #Resilience
We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

What Is The Purpose of Control 5.5?

The purpose of the Control 5.5 is to ensure appropriate flow of information take place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities. An appropriate forum for dialogue and cooperation between the Company and relevant legal, regulatory and supervisory authorities must be in place.

Control 5.5 covers the requirement, purpose and implementation instructions on how to identify and report information security events in a timely way, as well as who and how to contact in the event of an incident.

The objective of control 5.5 is to identify which stakeholders (e.g., law enforcement, regulatory bodies, supervisory authorities) would need to be contacted in the event of a security event. It is important that you have already identified these stakeholders before an incident occurs.

Contact with Authorities means that the organisation should establish and implement informal communication with authorities concerning information security issues, including:

  • Ongoing communication with relevant authorities to ensure that the organisation is aware of current threats and vulnerabilities.
  • Informing relevant authorities of vulnerabilities discovered in the organisation’s products, services or systems.
  • Receiving information from relevant authorities about threats and vulnerabilities.

What Is Involved and How to Meet the Requirements

The main objective of control 5.5 is to establish the organisation’s relationship with law enforcement agencies as it relates to managing information security risks.

To meet the requirements for control 5.5, it is expected that if an information security incident is discovered, the organisation should specify when and by which authorities (such as law enforcement, regulatory bodies, and supervisory authorities) should be notified, as well as how identified information security incidents are to be reported in a timely manner.

The exchange of information with authorities should also be used to gain a better knowledge of the existing and forthcoming expectations of these agencies (e.g. applicable information security regulations).

This requirement is designed to ensure that the organisation has a coherent strategy for its relationship with law enforcement agencies and that it has identified the most appropriate point of contact in these agencies.

Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organisation.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Differences between ISO 27002:2013 and ISO 27002:2022

Control 5.5: Contact with authorities is not a new addition in ISO 27002:2022. It is an existing control in the original ISO 27002:2013 with control number 6.1.3. This means that the control number was changed in the new version of ISO 27002.

Apart from changing the control number, the phraseology was changed also. Where control 5.5 states that “The organization should establish and maintain contact with relevant authorities.” Control 6.1.3 states that “Appropriate contacts with relevant authorities should be maintained.”. This change in phraseology is designed to make this control more user friendly.

In the 2022 version, a control purpose was included. This is not available in the 2013 version.

At the same time, while the essence of both controls remain the same, there are subtle variations that differentiate one from another.

Control 5.5 in ISO 27002:2022 further adds that contacts with authorities should also be used to facilitate the understanding about the current and upcoming expectations of these authorities (e.g. applicable information security regulations). This is missing in the 2013 version.

Who Is In Charge Of This Process?

The individual responsible for this role is generally the Information Security Manager.

Other individuals can perform this function, but they must report to the Information Security Manager so that they can maintain oversight of these activities. This maintains a consistent message and ensures a consistent relationship with authorities.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

What Do These Changes Mean For You?

When a new certification standard is published, there will usually be a transition time. For the majority of certification cycles there is a transition time of two to three years.

That said, the latest edition of ISO 27002 is definitely essential if you’re intending to deploy an ISMS (and potentially even consider an ISMS certification) and you need to make sure your security measures are up to date.

Among the activities to be carried out are, but are not limited to, the following:

  • Purchasing the most recent standard.
  • Examine the new standard to see how it has changed. The standard will provide a mapping table that will show how the new standard corresponds to the ISO 27002:2013 standard.
  • Conduct a risk analysis as well as a control gap analysis.
    Select the controls that are relevant and change your ISMS policies, standards, and other documentation.
  • Make any necessary changes to your Statement of Applicability.
  • You should revise your internal audit programme to reflect the improved controls that you have chosen.

Please see our guide to ISO 27002:2022, where you can discover more about how these changes to control 5.5 will affect your organisation.

How ISMS.online Helps

Keeping track of your information security controls is one of the most difficult aspects of implementing an ISMS that is compliant with ISO 27001. But our cloud-based platform makes this easy.

Our cloud-based platform provides you with a robust framework of information security controls so that you can checklist your ISMS process as you go to ensure that it meets the requirements for ISO 27k. Used properly, ISMS. online can assist you in achieving certification with the bare minimum of time and resources.

Get in touch today to book a demo.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.