Skip to contentCYBERINFO
|

Control 5.5 : Contact with Authorities

Summary

The organization must maintain appropriate contacts with relevant authorities to ensure that information can be exchanged quickly in the event of a security incident or to stay informed on legal requirements.

Applicability

In-Scope: Essential for incident response and regulatory compliance. Organizations must know who to contact (law enforcement, privacy commissioners, etc.) if a breach occurs, especially under laws like Law 25.

Out-of-Scope: Only applicable if the organization operates in a vacuum with no legal or regulatory ties, which is effectively impossible for a modern business.

Implementation Guidance

Microsoft 365 / Entra ID

  • Incident Response Plan: Store a digital, offline-accessible Incident Response Plan in a secure SharePoint library that includes a verified directory of external authorities.

  • Compliance Manager: Use Microsoft Purview Compliance Manager to track regulatory updates and link them to the specific authorities responsible for oversight.

  • Secure Communication: Establish Encrypted Email (OME) templates within Outlook for secure communication with law enforcement during a sensitive investigation.

Evidence Checklist

  • Contact List: A maintained list of law enforcement, regulatory bodies, and emergency response contacts.

  • Procedure: A documented process for when and how an authority should be notified of an incident.

  • Log of Interactions: A record of any formal interactions or information sharing with authorities (if applicable).

Practical Audit Advice

Here are some questions the auditor might ask:

  • Who within the organization is authorized to initiate contact with law enforcement or regulatory bodies during a crisis?

  • How do you ensure that the contact information for external authorities is kept up to date?

  • In what specific scenarios (e.g., data breach, ransomware) is the organization legally required to notify a specific authority?

  • Can you demonstrate how you stay informed about changes in the legal or regulatory landscape that affect your security obligations?