A.5.5 Contact with Authorities
What is this control?
ISO 27001 control A.5.5 Contact with Authorities establishes procedures for maintaining appropriate, timely, and authorised contact with relevant legal, regulatory, and supervisory authorities. This control defines designated contact owners for each authority to ensure communications, especially for security incidents or data breaches, are recorded and handled with proper authorisation. The organisation maintains a formal register of relevant authorities including Police, Information Regulator, Financial Regulators, and Emergency Services with primary and alternate contact owners.
How to implement in Microsoft 365
Implement A.5.5 by creating and maintaining a formal register of relevant authorities in SharePoint with contact details and designated organisational contact persons. Assign primary and alternate contact owners for each authority category. Document incident-driven contact triggers based on formal incident declaration by CISO per A.5.26.
Log all authority communications in the formal Incident Response Register including decisions and outcomes. Cross-reference incident detection evidence from Microsoft Sentinel and Defender XDR. Escalate non-emergency authority contact decisions to CISO or Management Review Board if primary contact is unavailable.
Review the register annually or when regulatory landscape changes.
What an auditor looks for
Auditors will verify that an up-to-date authorities contact register exists with designated owners and alternates for all relevant authorities. They will review the Incident Response Register for documented communications and decision records. Auditors will examine evidence linking incident declaration from Sentinel or Defender to authority contact decisions.
They will check post-incident reports showing authority contact log entries and verify escalation trails when primary contacts were unavailable. Auditors will confirm that no unauthorised contact has been made on behalf of the organisation.