The ISO 27002:2022 control 5.5 specifies that an organisation is to establish and maintain a process for contact with the appropriate authorities in accordance with the legal, regulatory and contractual requirements in which the organisation operates.
Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications. These are the ones found in control 5.5.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Identify #Protect #Respond #Recover | #Governance | #Defence #Resilience |
We can’t think of any company whose service can hold a candle to ISMS.online.
The purpose of the Control 5.5 is to ensure appropriate flow of information take place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities. An appropriate forum for dialogue and cooperation between the Company and relevant legal, regulatory and supervisory authorities must be in place.
Control 5.5 covers the requirement, purpose and implementation instructions on how to identify and report information security events in a timely way, as well as who and how to contact in the event of an incident.
The objective of control 5.5 is to identify which stakeholders (e.g., law enforcement, regulatory bodies, supervisory authorities) would need to be contacted in the event of a security event. It is important that you have already identified these stakeholders before an incident occurs.
Contact with Authorities means that the organisation should establish and implement informal communication with authorities concerning information security issues, including:
The main objective of control 5.5 is to establish the organisation’s relationship with law enforcement agencies as it relates to managing information security risks.
To meet the requirements for control 5.5, it is expected that if an information security incident is discovered, the organisation should specify when and by which authorities (such as law enforcement, regulatory bodies, and supervisory authorities) should be notified, as well as how identified information security incidents are to be reported in a timely manner.
The exchange of information with authorities should also be used to gain a better knowledge of the existing and forthcoming expectations of these agencies (e.g. applicable information security regulations).
This requirement is designed to ensure that the organisation has a coherent strategy for its relationship with law enforcement agencies and that it has identified the most appropriate point of contact in these agencies.
Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organisation.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
Control 5.5: Contact with authorities is not a new addition in ISO 27002:2022. It is an existing control in the original ISO 27002:2013 with control number 6.1.3. This means that the control number was changed in the new version of ISO 27002.
Apart from changing the control number, the phraseology was changed also. Where control 5.5 states that “The organization should establish and maintain contact with relevant authorities.” Control 6.1.3 states that “Appropriate contacts with relevant authorities should be maintained.”. This change in phraseology is designed to make this control more user friendly.
In the 2022 version, a control purpose was included. This is not available in the 2013 version.
At the same time, while the essence of both controls remain the same, there are subtle variations that differentiate one from another.
Control 5.5 in ISO 27002:2022 further adds that contacts with authorities should also be used to facilitate the understanding about the current and upcoming expectations of these authorities (e.g. applicable information security regulations). This is missing in the 2013 version.
The individual responsible for this role is generally the Information Security Manager.
Other individuals can perform this function, but they must report to the Information Security Manager so that they can maintain oversight of these activities. This maintains a consistent message and ensures a consistent relationship with authorities.
It helps drive our behaviour in a positive way that works for us
& our culture.
When a new certification standard is published, there will usually be a transition time. For the majority of certification cycles there is a transition time of two to three years.
That said, the latest edition of ISO 27002 is definitely essential if you’re intending to deploy an ISMS (and potentially even consider an ISMS certification) and you need to make sure your security measures are up to date.
Among the activities to be carried out are, but are not limited to, the following:
Please see our guide to ISO 27002:2022, where you can discover more about how these changes to control 5.5 will affect your organisation.
Keeping track of your information security controls is one of the most difficult aspects of implementing an ISMS that is compliant with ISO 27001. But our cloud-based platform makes this easy.
Our cloud-based platform provides you with a robust framework of information security controls so that you can checklist your ISMS process as you go to ensure that it meets the requirements for ISO 27k. Used properly, ISMS. online can assist you in achieving certification with the bare minimum of time and resources.
Get in touch today to book a demo.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
