Contact with Authorities - ISO 27001 Annex A Control

ISO 27001 Annex A 5.5

Know who you would call if something serious happened tomorrow.

ISO 27001 Annex A 5.5 - Contact with Authorities

The control is about knowing who to contact and how, before something happens that needs reporting. The relevant authorities depend on the organisation, the sector and the kind of information being handled, but the typical UK list includes the Information Commissioner's Office for personal data breaches, the National Cyber Security Centre for cyber incidents, the police for criminal activity, sector regulators where applicable and emergency services for physical incidents.

Reporting obligations under UK GDPR are time-bound. A personal data breach that meets the threshold has to be reported to the ICO within 72 hours of becoming aware of it. That timescale only works if someone has identified the contact route in advance, knows the criteria for reporting, and has the authority to make the call when needed.

Contact does not have to be active or ongoing. The expectation is that the route is identified, recorded, and ready to use. For some organisations there will also be ongoing contact through industry forums or sector regulators, but for most the requirement is to know the route exists rather than to use it routinely.

The audit question is simple. Who would you contact if there was a personal data breach. Who would you contact if you had a serious cyber incident. Who would you contact if a member of staff was caught stealing information. If those answers come back quickly with names, organisations and routes, the control is in place. If they do not, that is a finding.

Practical Compliance Guidance

Authority contact arrangements are described in the IMS1 Manual Section 3.3 on management system communication, which clarifies who is responsible for liaison with external bodies and authorities.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit, including the IMS1 Manual, information security risks register, policy-procedures, forms, registers and audit checklists.
F-IMS27 Legal Register	Records the relevant legislation and regulators alongside the contact details. Use this as the reference for who to notify and under what conditions.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Which authorities do we need to keep contact details for?

For most UK organisations the list includes the Information Commissioner's Office, the National Cyber Security Centre, the relevant sector regulator if applicable, the police and emergency services. The exact list depends on the organisation and the kind of information handled.

Do we have to actually contact them regularly?

No. The control is about being able to contact them when needed, not maintaining an active relationship. Some organisations have ongoing engagement through sector forums, but most just need the contact route documented and known to the people who would need to use it.

What is the personal data breach reporting deadline?

Under UK GDPR, a personal data breach that is likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk, the affected individuals also have to be informed without undue delay.

Further Resources