Navigating ISO 27001 Annex A: Control A.5.5

Welcome to our ISO 27001 Annex A Blog series, where we explore the essential elements of information security management. Building on our previous discussion of Control A.5.4, this fourth instalment focuses on Control A.5.5, which underscores the importance of establishing and maintaining appropriate contact with relevant authorities. This control highlights that security is not solely an IT concern—it is a shared responsibility that involves strategic communication and collaboration with external entities.

In this blog, we will delve into how management can ensure that the organisation is prepared to engage with authorities when necessary, transforming intentions into actionable protocols. By prioritising effective communication, leaders can embed security into the organisational culture, empowering everyone to contribute to a robust security framework.

Control 5.5 requires organisations to establish and maintain appropriate contact with relevant authorities.

• Identifying which authorities are relevant (regulators, data protection authorities, law enforcement, sector-specific bodies).
• Defining when and how contact should occur, particularly during information security incidents.
• Ensuring roles and responsibilities for contacting authorities are clearly assigned.
• Making sure information shared is accurate, timely, and authorised.

The control is not about constant communication. It’s about being prepared to engage when legally, regulatorily, or operationally required.

When a serious incident occurs, confusion often follows. In those moments, not knowing who to contact or who you are allowed to speak, can make a bad situation worse.

• Legal and regulatory compliance
• Effective incident management
• Organisational credibility and trust
• Reduced risk of fines, penalties, or reputational damage

In many cases, delays or mistakes in communication with authorities are not technical failures, but governance ones.

Auditors typically look for evidence of readiness, not just documentation.

This includes:

• A defined list of relevant authorities
• Clear roles and responsibilities
• Incident response procedures referencing authority contact
• Evidence that staff know when escalation is required
• Alignment with legal and regulatory requirements

A common audit question is:

“If a serious incident happened tomorrow, who would you contact and how quickly?”

If the answer is unclear, this control is usually not effective.

• Keep contact details centralised and accessible, especially during incidents.
• Align this control closely with incident management and legal compliance.
• Run tabletop exercises that include authority notification scenarios.
• Avoid over-sharing, define what can and cannot be communicated.
• Review authority contact requirements after major regulatory changes.

• No clear ownership for external communication.
• Assuming IT or security will “handle it” without legal input.
• Outdated or incorrect authority contact details.
• Confusing internal escalation with external notification.
• Only considering regulators and forgetting law enforcement or sector bodies.

Control 5.5 is not about bureaucracy  it’s about preparedness under pressure.
In my audit experience, organisations that handle this well are usually the ones that have already accepted a simple truth:

Incidents are not a question of if, but when and communication matters as much as containment.

Handled properly, this control strengthens trust, clarity, and confidence when it matters most.