Annex A Controls

A.5.5 and A.5.6 — Contact with Authorities and Special Interest Groups

Alex Fuerst

03 Sep 2025 — 6 min read

Understanding the Real Purpose

These two controls — A.5.5 Contact with Authorities and A.5.6 Contact with Special Interest Groups — consistently rank among the most superficially implemented requirements I encounter during audits. Organizations mark them as "implemented" while maintaining nothing more than a bookmark folder labeled "Emergency Contacts" containing outdated phone numbers and generic government websites. This approach misses the fundamental purpose: building operational relationships that function under stress.

The 2022 revision of ISO 27002 strengthened these controls significantly. Control 5.5 now explicitly requires organizations to "establish and maintain contact with relevant authorities" while specifying "when and by whom authorities should be contacted and how identified information security incidents should be reported in a timely manner." Control 5.6 mandates establishing contact with "special interest groups or other specialist security forums and professional associations" with clear operational benefits outlined.

Both controls directly support your incident response capabilities under Controls 5.24-5.28 and business continuity planning per Controls 5.29-5.30. They're not administrative overhead — they're operational enablers that determine whether your incident response happens efficiently or deteriorates into chaos.

Building Your Authority Contact Framework

The phrase "relevant authorities" requires interpretation based on your risk profile, regulatory environment, and geographic footprint. I consistently see organizations either over-engineering this requirement with exhaustive lists of marginally relevant contacts, or under-implementing it with generic law enforcement references.

Law Enforcement Contacts: Your local police department likely cannot help with sophisticated cyber incidents. Ransomware attacks involving cryptocurrency transactions typically require FBI involvement in the United States, the National Crime Agency in the UK, or specialized cybercrime units elsewhere. Cross-border incidents involving EU personal data may trigger obligations under multiple jurisdictions simultaneously. Document specific contact procedures for different incident types rather than maintaining a single "police" entry.

Data Protection Authorities: Under GDPR Article 33, you have 72 hours to report certain personal data breaches to your supervisory authority. Which authority? If you're a multinational processing data across EU member states, do you understand the one-stop-shop mechanism? I've watched incident teams waste critical hours during active breaches figuring out basic reporting requirements that should have been established during normal operations.

Sector-Specific Regulators: Financial institutions know their FCA, SEC, or FINRA requirements. Healthcare organizations understand HHS obligations. But what about manufacturing companies subject to export controls? Software companies whose products might be used in critical infrastructure? Supply chain partners who inherit regulatory obligations through customer contracts? Your authority contact list reflects your understanding of your actual regulatory environment.

National Cybersecurity Resources

Every developed nation maintains cybersecurity agencies specifically designed to help organizations during incidents. CISA in the United States, NCSC in the United Kingdom, CERT-EU for European Union institutions — these organizations offer threat intelligence, incident support, and vulnerability coordination. Yet I regularly audit organizations that have never registered with these bodies or established any contact mechanism.

These agencies provide more than incident response support. They publish threat bulletins, maintain sector-specific guidance, and offer early warning systems for emerging threats. The implementation guidance in ISO 27002 specifically mentions using authority contacts "to facilitate the understanding about the current and upcoming expectations of these authorities," including regulatory changes that might affect your organization.

Practical tip: Document not just contact information, but specific circumstances that trigger each contact. "FBI for ransomware incidents involving cryptocurrency" provides more clarity than "law enforcement for cybercrimes."

Special Interest Groups That Actually Matter

Control 5.6 addresses information sharing communities that provide threat intelligence, vulnerability notifications, and incident response support that your internal team cannot replicate alone. The ISO 27002 guidance lists six specific benefits, including early warning systems and access to specialist advice during incidents.

Industry-Specific Information Sharing: Financial services organizations might participate in FS-ISAC, healthcare entities in H-ISAC, or energy companies in E-ISAC. These sector-specific communities share threat intelligence relevant to your business model and regulatory environment. Membership often provides access to indicators of compromise (IoCs) before they appear in public threat feeds.

Geographic and Technology Communities: Regional CERTs, technology vendor security communities, and geographic industry associations provide localized threat intelligence and incident coordination. If you operate AWS infrastructure, are you connected to AWS security bulletins? If you use Microsoft technologies, do you receive security notifications through appropriate channels?

Professional Development Networks: Organizations like (ISC)², ISACA, or local OWASP chapters serve dual purposes: professional development for your security team and access to collective knowledge during unusual incidents. These relationships matter most when you encounter something outside your team's experience.

The Documentation Requirement

Both controls require documented procedures that specify contact triggers, escalation criteria, and communication protocols. This documentation should integrate with your incident response procedures under Control 5.26 and your business continuity plans per Control 5.29.

I recommend maintaining contact matrices that map incident types to appropriate external contacts. A ransomware incident might trigger law enforcement notifications, regulatory reporting, cyber insurance communications, and industry information sharing simultaneously. Document these parallel communication streams rather than treating external contact as a single decision point.

What Auditors Look For

During audits, I examine several specific areas for these controls:

Contact Currency: Are the contact details accurate and current? I test-dial critical numbers and verify email addresses. Outdated contact information during an incident becomes a secondary crisis.

Decision Criteria: Does your documentation specify who makes contact decisions under what circumstances? Incident response operates under stress with compressed timelines. Clear escalation triggers prevent hesitation during critical moments.

Integration Testing: Have you tested these contacts during exercises or actual incidents? The most impressive contact list becomes worthless if your team has never practiced using it. I look for evidence of tabletop exercises that include external communication scenarios.

Authority Alignment: Do your authority contacts match your actual risk profile and regulatory obligations? A software-as-a-service company processing EU personal data requires different authority relationships than a local manufacturing business.

Information Sharing Evidence: For special interest groups, can you demonstrate actual participation rather than passive membership? I look for threat intelligence incorporation, participation in information sharing exercises, or evidence that external community knowledge influences your security posture.

Common Implementation Mistakes

The most frequent error I encounter is treating these controls as contact list maintenance rather than relationship building. Organizations compile impressive spreadsheets of government agencies and industry groups without establishing actual communication channels or understanding when to use them.

Another common mistake involves geographic mismatch. I've audited UK-based organizations maintaining FBI contact information as their primary law enforcement relationship, or US companies listing only European data protection authorities despite processing American customer data. Your contact strategy should reflect your actual operational geography and legal obligations.

The third pattern involves over-reliance on automated systems. While security information sharing platforms provide valuable intelligence, they don't replace direct relationships during crisis situations. Automated feeds supplement human networks; they don't substitute for them.

Integration with Business Continuity

These controls extend beyond cybersecurity incidents. The ISO 27002 guidance specifically mentions utilities, emergency services, and infrastructure providers as potential authority contacts. If your business depends on specific telecommunications routing, do you have direct contacts with your providers' network operations centers? For organizations operating critical facilities, have you established relationships with local emergency services who might respond to physical security incidents?

This broader interpretation connects these controls to your business impact analysis under Control 5.29 and supply chain security requirements in ISO 27036. Critical suppliers might themselves be sources of threat intelligence or incident coordination, particularly in technology-dependent industries.

Making It Operational

Transform these controls from compliance checkboxes into operational capabilities by treating relationship building as an ongoing process. Attend industry conferences where you meet peers facing similar challenges. Participate in government-sponsored cybersecurity workshops. Join sector-specific information sharing initiatives where your contribution provides value to the community.

Most importantly, test these relationships during non-crisis periods. Engage with your national cybersecurity center during their public consultations. Participate in industry working groups. When an actual incident occurs, you'll activate existing relationships rather than introducing yourself during crisis conditions.

Remember that effective implementation of Controls 5.5 and 5.6 ultimately determines whether your incident response operates as a coordinated effort or an isolated struggle. The authority contacts and special interest group relationships you build today become the support network you depend on when everything else goes wrong.

Need help implementing these controls in your organization? Connect with experienced practitioners and get detailed implementation guidance at the IX ISO 27001 Info Hub.

Need personalized guidance? Reach our team at ix@isegrim-x.com.