Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.5 — Contact with Authorities

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.5 ISO 27001ISO 27002BSI DER.2.1

A ransomware attack has encrypted the file servers. The incident response team knows what to do technically, but nobody has the phone number for the national cyber security centre, and the legal team is unsure which data protection authority to notify. A.5.5 prevents this scenario by requiring that contact with relevant authorities is established and maintained before an incident occurs.

Authority contacts are a preparedness measure. They ensure the organisation can meet its legal reporting obligations and receive specialist assistance when the situation exceeds internal capabilities.

What does the standard require?

  • Identify relevant authorities. Determine which legal, regulatory and supervisory authorities are relevant based on the organisation’s sector, geography and legal obligations.
  • Document contact details. Maintain an up-to-date list of authority contacts, including names, phone numbers, email addresses and escalation procedures.
  • Define when and how to contact them. Establish clear procedures for mandatory and voluntary reporting — who in the organisation initiates the contact, through which channel and within what timeframe.
  • Stay informed about legal developments. Use authority contacts proactively to learn about upcoming regulatory changes, advisories and threat warnings relevant to the organisation.
  • Integrate into incident response. Authority contact procedures must be embedded in the incident response plan, so that reporting obligations are met under time pressure.

In practice

Map obligations to authorities. Start with the legal register. Every legal or regulatory obligation that requires notification or reporting points to an authority. Match each obligation to a named contact and a responsible internal person.

Include utility and emergency contacts. Beyond regulatory bodies, include contacts for essential services: electricity provider, telecommunications provider, fire services, building security. These become critical during physical security incidents or business continuity events.

Test the contacts. A contact list that has never been used may contain outdated numbers. Include authority contact verification in incident response exercises. Even a simple annual check — calling the number and confirming it reaches the right person — prevents surprises during a real incident.

Brief the incident response team. Everyone on the incident response team must know where the authority contact register is stored and under what circumstances they should use it. Include the register in tabletop exercises.

Typical audit evidence

Auditors typically expect the following evidence for A.5.5:

  • Authority contact register — comprehensive list of relevant authorities with current contact details
  • Incident response plan — showing where authority notification is integrated into the response workflow
  • Notification records — evidence of past notifications to authorities (data breach reports, incident notifications)
  • Contact verification records — showing that authority contacts were reviewed for currency
  • Legal register extracts — mapping legal obligations to authority contacts

KPI

Number of relevant authorities with documented and up-to-date contact information

This KPI tracks the completeness of the authority contact register. Target: all identified relevant authorities have verified, current contact details. Review against the legal register to ensure no authority has been missed.

Supplementary KPIs:

  • Percentage of mandatory notifications submitted within the required timeframe
  • Time between incident detection and first authority contact
  • Date of last contact register review (target: within the last 12 months)

BSI IT-Grundschutz

A.5.5 maps to the following BSI requirements:

  • DER.2.1.A4 (Determining notification obligations during security incidents) — requires organisations to identify in advance which authorities must be notified for different incident types.
  • DER.2.1.A9 (Escalation strategy for security incidents) — mandates escalation procedures that include authority contacts for incidents exceeding internal response capabilities.
  • DER.2.1.A14 (Coordination with external parties) — requires preparation for cooperation with external authorities, CERTs and law enforcement.

A.5.5 supports incident preparedness and compliance:

Sources

Frequently asked questions

Which authorities are relevant for ISO 27001?

This depends on the organisation's context. Common contacts include the national data protection authority, the national cyber security centre (e.g. BSI in Germany, NCSC in the UK), law enforcement, sector-specific regulators (e.g. BaFin for financial services), and utility providers for emergency services.

Must we have a personal relationship with each authority?

A personal relationship is helpful but the standard only requires that contact information is identified, documented and accessible to the people who may need it. The key is being able to reach the right authority quickly during an incident.

When must we contact authorities proactively?

Proactive contact is required whenever a legal or regulatory obligation exists -- for example data breach notifications under GDPR (within 72 hours) or reporting of critical infrastructure incidents. Beyond mandatory reporting, early engagement with authorities during a serious incident often leads to faster resolution.