Mar 183 min read

ISO27001:2022 - A5.6 Contact with special interest groups

Updated: Aug 2

As the saying goes, ‘no man is an island’ and that’s what this control is suggesting. It is asking you to consider who you need to help you in your endeavour to become more secure.

As always, there’s more to this ISO27001 control than meets the eye so let’s take a closer look.

The handy guide to all ISO27001:2022 Annex A Controls

What does the standard require?

The standard states that “The organisation shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.” (A5.6 Contact with special interest groups)

There are three areas of focus for this control;

· Special interest groups.

· Specialist security forums.

· Professional associations.

The control expects you to establish AND maintain contact with these groups, so that’s what you need to do.

Why is this required?

There are two very good reasons you need this control. The first is that you and your organisation needs to be informed of any risks and issues related to your industry, your technology and your services. This information will invariably come from outside your organisation, perhaps from a user group on Cloud security, or via a professional association (e.g. the Information Commissioners Office (ICO)).

The second reason this is an important control is that you can’t know everything(!) You will need to acquire new skills and information, so that you keep abreast of the latest technology or techniques in protecting your organisation.

What the auditor is looking for

The very next control we’ll be discussing is ‘Threat Intelligence’ (A5.7), which asks you to outline how you identify threats to your organisation. We would argue that one of the first places you’ll identify threats is via a forum or user group or some professional body or association.

Create a simple spreadsheet which lists relevant groups that you regularly receive information and updates from. Identify;

· The Interest Group name

· Format of the intereaction (e.g. Online, in-person, newsletters)

· Description of the group. Who they service, information they provide

· Who owns the relationship

Perhaps there are online forums, such as the Microsoft Amazon User Groups, or there are user groups that you meet up with on a regular basis (e.g. Monthly virtual/in-person meetings). There are a whole range of Cyber related forums that meet online and in-person, and the auditor will need to see that you have identified these, and maintain regular links with them.

Don’t forget professional associations that your team might be part of, or forums they regularly speak to.

The handy guide to all ISO27001:2022 Annex A Controls

Q & A

Who are the ‘relevant’ SIGs for my organisation?

That’s difficult for us to know without speaking to you, and your business. Every organisation will use different software tools, have different needs and requirements, so speak to your teams and ask them “How do you keep informed about latest information related to your profession?”

Lawyers will go to Solicitor briefings, IT professionals will attend seminars, events and webinars, and Information Security people will do the same.

Is it possible to get this wrong?

Only if you ignore the control! Make sure you identify SIGs for your register, and ensure these are being maintained. Don’t underestimate the importance of this group. As we said at the outset, no person is an island and you can’t be expected to know everything. Who is in your corner? Who can you turn to for information?

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This means that it requires no technical skills to satisfy the requirement. It does, however, require you to speak to your organisation and build up a central register of SIGs.

Consultants Like Us