Contact with Special Interest Groups - ISO 27001 Annex A Control

ISO 27001 Annex A 5.6

Stay connected to the security community so you do not learn alone.

ISO 27001 Annex A 5.6 - Contact with Special Interest Groups

This control is about staying informed. Information security threats, techniques and good practice change quickly. The organisation has to have a way of keeping current that does not depend on any single individual reading the right article or attending the right conference.

The relevant groups depend on what the organisation does. Common ones for UK organisations include the National Cyber Security Centre alerts and guidance, the Information Commissioner's Office news and rulings, vendor security advisories for the technologies in use, sector-specific groups where applicable, and broader industry forums or membership bodies. Subscribing to threat intelligence feeds counts. Following relevant accounts on professional networks counts. Attending occasional briefings counts.

The control is not asking for active participation in everything. It is asking for a documented arrangement that someone is taking responsibility for staying informed, and the information that comes in is fed back into the management system through the risk register, awareness training or policy updates.

For us, the practical answer is the Information Security Lead reads the NCSC (National Cyber Security Centre) weekly threat reports, subscribes to vendor security advisories for the platforms we run, and follows a couple of industry accounts. Anything significant gets fed into the next risk register review. Anything urgent goes straight to the change control process.

We do not need to be a member of every forum out there. We just need to be plugged into enough sources that we are not relying on luck to hear about a major issue.

Practical Compliance Guidance

Responsibility for keeping contact with relevant special interest groups is allocated in the IMS1 Manual Section 2.2/3.3. The Information Security Lead is responsible for maintaining contacts with security forums and relevant professional associations.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit, including the IMS1 Manual, information security risks register, policy-procedures, forms, registers and audit checklists.
ER15 Information Security Risks	Where threat intelligence and emerging risks identified through external sources get recorded and tracked. Update this when significant new information comes from any subscribed source.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we have to be members of a security organisation?

No. The control is about staying informed, not about formal membership. Subscribing to NCSC alerts, following relevant vendor advisories and reading industry news count. Membership of a professional body is one option but not required.

How do auditors test this control?

By asking which sources of information security information the organisation subscribes to, who is responsible, and how that information is acted upon. They will look for evidence that recent significant alerts or threats have been considered through the risk management process.

What is the difference between this control and Annex A 5.7 threat intelligence?

A.5.6 is about being plugged into the right networks and information sources. A.5.7 is about how the threat information collected is analysed and used to drive security decisions. The two work together - sources feed in via A.5.6, analysis and action happen through A.5.7.

Further Resources