To assess compliance with A.5.5 "Contact with Authorities," an information security auditor would need to evaluate how an organization manages and interacts with relevant authorities, such as law enforcement agencies and regulatory bodies, in the context of information security incidents and requirements. Here's a breakdown of the evidence and areas an auditor might review:
-
Incident Reporting Procedures: Review the organization's documented procedures for reporting information security incidents to relevant authorities, including the steps to follow, timelines, and responsible personnel.
-
Legal and Regulatory Requirements: Verify that the organization is aware of and adheres to legal and regulatory requirements related to reporting and communicating information security incidents to authorities.
-
Law Enforcement Liaison: Examine any documented agreements, contacts, or protocols the organization has established with law enforcement agencies for reporting cybercrime or security incidents.
-
Notification Timeline: Assess the organization's ability to promptly notify relevant authorities in case of a significant security incident, as required by applicable laws and regulations.
-
Internal Communication: Review evidence that demonstrates how the organization's internal teams communicate and collaborate when deciding whether and how to involve authorities in an incident.
-
Authorities' Requests: Evaluate procedures or policies related to responding to authorities' requests for information or assistance in investigating security incidents.
-
Documentation: Examine records of any communication, interactions, or correspondence between the organization and authorities regarding information security incidents.
-
Coordination: Assess how the organization coordinates with relevant authorities during incident response efforts to ensure effective collaboration and information sharing.
-
Legal Counsel Involvement: Verify whether the organization involves legal counsel in discussions and decisions regarding interactions with authorities to ensure compliance with legal requirements.
-
Preservation of Evidence: Examine how the organization handles the preservation of evidence related to security incidents to support potential legal proceedings.
-
Incident Reporting Logs: Review logs or documentation of incidents reported to authorities, detailing the nature of the incident, response actions taken, and outcomes.
-
Follow-Up and Resolution: Assess the organization's process for providing authorities with updates on incident resolution, investigation outcomes, and any additional assistance required.
-
Public Communication: Verify whether the organization has established procedures for communicating with the public, customers, or stakeholders about information security incidents that may involve authorities.
-
Training and Awareness: Evaluate whether employees are aware of their responsibilities for contacting authorities and whether they receive training on how to do so effectively.
-
Mock Exercises: Examine evidence of mock exercises or simulations conducted by the organization to test its ability to interact with authorities during incident response scenarios.
By examining these aspects, an auditor can determine whether the organization has well-defined procedures for contacting relevant authorities in the event of information security incidents, complies with legal and regulatory requirements, and maintains effective communication and coordination with external parties during incident response efforts.
Communication with the appropriate authorities must be kept open at all times. Processes should be put in place to define when and with whom officials should communicate and how identified information security violations will be reported as soon as possible by organisations.
Organisations that have been attacked over the internet may compel authorities to take counter-measures. Maintaining these connections may also be required in information security to assist incident management or business continuity and contingency planning operations. Contacts with regulatory authorities are also beneficial in predicting and planning for any changes in the rules or regulations that the organisation must enforce. You can consider to contact with your data protection regulator that is likely mandated in law, utility companies for power and water, health and safety if relevant, fire departments for business continuity and incident management, perhaps your telecoms provider for routing if lines go down.You are going to have to ensure that:
- you identify and document what authorities apply to you;
- in what circumstances you would contact them;
- how information security incidents should be reported if relevant;
- understand what expectations these authorities have, if any;
- include relevant contact steps in your incident management processes;
- include relevant contact steps in your business continuity and disaster recovery processes
The ISMS coordinator can keep records up to date and identify which and when contact is made by the appropriate relationship owner with specific contact circumstances, and the nature of the information provided. It should clearly identify who is responsible for contacting authorities (e.g., law enforcement, regulatory bodies, supervisory authorities), which authorities should be contacted (e.g., which region/country), and in what cases this needs to happen.
