Establish and Maintain Contact with Authorities
Ensure you can quickly contact authorities like police or regulators for security issues.
Plain language
This control is about making sure your organisation can quickly get in touch with the right authorities, like the police or regulators, when a security issue happens. This is important because delays in contacting authorities can make security problems worse and harder to fix.
Framework
ISO/IEC 27001:2022
Control effect
Proactive
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
The organization shall establish and maintain contact with relevant authorities.
Why it matters
Delayed or absent contact with authorities can escalate incidents, causing reputational damage and regulatory or legal consequences.
Operational notes
Regularly test and update authority contact details, after-hours numbers, and liaison roles so escalation to relevant regulators or police works in an emergency.
Implementation tips
- Senior Management should designate a contact person within the organisation who will be responsible for communication with authorities. This person should be well-versed in the organisation's security policies and have the authority to make necessary decisions.
- The IT manager should establish a contact list of relevant authorities, such as local police, data protection offices, and regulatory bodies. This list should include names, phone numbers, and email addresses and should be regularly updated.
- The Risk Officer should develop a procedure for when and how authorities should be contacted during security incidents. This procedure should be simple, clear, and included in the organisation’s incident response plan.
- HR should ensure that training is provided to all employees about the importance of timely reporting of security incidents and who to notify in such events, according to the procedure established.
- Compliance Officers should regularly review current and upcoming regulations related to information security, to ensure that the organisation's policies and procedures remain in compliance and communicate any changes to relevant personnel.
Audit / evidence tips
-
AskRequest to see the list of relevant authority contacts.
GoodThe contact list is comprehensive, up-to-date, and accessible to those who need it.
-
AskAsk to review the procedure for contacting authorities during security incidents.
GoodThe procedure is clear, documented, and staff are aware of it.
-
AskAsk for records of any communications or incidents that required contact with authorities.
GoodRecords are well-documented and demonstrate a timely response to incidents.
-
AskInquire about employee training materials regarding reporting procedures for security issues.
GoodTraining materials are comprehensive and routinely delivered to all employees.
-
AskRequest any meeting notes or communications with regulatory bodies regarding compliance and security expectations.
GoodRegular communication is maintained with authorities, demonstrating proactive compliance management.
Cross-framework mappings
How Annex A 5.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| E8-MF-ML2.11 | E8-MF-ML2.11 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| E8-RA-ML2.12 | E8-RA-ML2.12 requires cyber security incidents to be reported to ASD as soon as possible after they occur or are discovered | |
| E8-AH-ML2.17 | E8-AH-ML2.17 requires prompt reporting of cyber security incidents to ASD | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-0140 | Annex A 5.5 requires the organisation to establish and maintain contact with relevant authorities to support rapid coordination during se... | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1755 | ISM-1755 requires organisations to develop, implement and maintain a vulnerability disclosure policy to enable secure reporting and coord... | |
| handshake Supports (7) expand_less | ||
| ISM-0039 | ISM-0039 requires the organisation to maintain a cyber security strategy that remains aligned to the operating and regulatory environment | |
| ISM-0043 | Annex A 5.5 requires the organisation to establish and maintain contact with relevant authorities so engagement can occur quickly when ne... | |
| ISM-0138 | ISM-0138 mandates that investigators maintain evidence integrity and follow instructions from law enforcement | |
| ISM-0181 | ISM-0181 stipulates that cabling must meet Australian Standards as directed by ACMA | |
| ISM-0249 | ISM-0249 requires system owners deploying SECRET or TOP SECRET systems on mobile platforms or as a deployable capability to contact ASD f... | |
| ISM-0576 | ISM-0576 requires an incident management policy and incident response plan that are implemented and maintained, which typically include e... | |
| ISM-1137 | ISM-1137 requires system owners deploying SECRET or TOP SECRET systems in fixed facilities to contact ASD for an emanation security threa... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.