One reason organisations implement ISO27001 is to comply with the requirements of a specific contract or legal or regulatory requirement. This specific control expects you to establish and maintain contact with relevant authorities.
In order to do this correctly, there are several steps you need to follow. But let’s look at the requirement first and go from there.
What does the standard require?
The standard states that “The organisation shall establish and maintain contact with relevant authorities.” (A5.5 Contact with authorities)
To establish who the relevant authorities are, we need to identify who the relevant authorities are. This may require that you speak to your organisation leaders, but it might also be relatively obvious dependent upon which sector you operate in.
Why is this required?
If there is an incident, such as a cyber-attack or data breach, you need to ensure someone has a good relationship with the relevant authorities, knows what to do and who to contact. In an emergency, this can be incredibly important as the authorities may offer support and guidance that would be invaluable during the incident.
What the auditor is looking for
The auditor is looking for a list of relevant authorities that you might speak to.
This information may be within your business continuity plans or as a separate document. We prefer to keep this separate (as it’s easier to maintain) but refer to it in our ‘Subject Access Request’ (SAR) process, our Incident Management Plans and our Disaster Recovery Plans.
If you do this, then ensure you also identify who is maintaining contact with the relevant authorities. For example, your Data Protection Officer (DPO) is likely to be the one who maintains contact with the Supervisory authority in your region. But what about clients? Who is the person maintaining contact with them?
To develop this ‘Authorities Register’, capture information, such as law enforcement, regulatory bodies, and supervisory authorities, based on your legal, regulatory, and contractual obligations. Speak to your business about who you are governed by, and capture this in one place.
Communication with Authorities
The auditor might also want to see when and how communication has taken place. If this hasn’t happened yet, then being able to explain what the process is, will be sufficient. This is one of the reasons we would include reference in the BC plans, as we can include a statement such as; “It is the responsibility of the relationship owner to speak to the relevant authority, listed within the ‘Authorities Register’”
Q & A
Who are the ‘relevant’ authorities for my organisation?
That’s almost impossible for us to know without speaking to you. We can say that the first authority you should include on your register is the Supervisory Authority for your region. Within the UK, this is the Information Commissioners Office (ICO). But this is one of those occasions where your knowledge of your sector and your business is of critical importance. Speak to your business leaders and ask them who you are regulated by.
What do I have to share with the authority?
This depends on the relationship, but also what has happened. If there is a data breach, and you need to speak to the ICO, then you will need to share a lot of information with them. This is why it’s better to build these relationships up now, so that you know what is needed.
Is there a time limit on when I need to speak to authorities?
Again this depends, as each situation is different. For data breaches which might have an impact on data subjects then you must inform the supervisory authority without undue delay. This certainly should not be longer than 72hrs from discovering the occurrence of the breach. However, for other regulatory and legislative bodies, timelines may differ. What we would recommend is establishing these relationships BEFORE you need to speak to them following a breach. After all, that’s what this control is asking you to do.
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This means that it requires no technical skills to satisfy the requirement. It does, however, require you to speak to your organisation and build up a central register of relevant authorities.
More questions?
Just remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard, but if you’re still confused by how to implement n RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.
Comments