GOV-017 Contact with Authorities and Special Interest Groups
Description
The organization maintains documented contacts with relevant regulatory authorities, law enforcement, and security industry groups. These contacts are used to stay informed of emerging threats, regulatory changes, and sector guidance.
Rationale
Regulatory relationships and threat intelligence communities are early warning channels. Without maintained contacts, the organization learns about emerging risks and regulatory changes too late to respond proactively.
Framework Mappings (4)
| GRC-08 | Special Interest Groups | full |
| 5.5 | Contact with authorities | full |
| 5.6 | Contact with special interest groups | full |
| PM-15 | Security and Privacy Groups and Associations | partial |
Evidence (2)
Contacts register listing relationships with regulatory authorities, law enforcement, and security industry groups, with named internal contact and last-contact or subscription-verification date.
Example: Regulatory and industry contacts register (Confluence / spreadsheet) listing: contact name and organization (e.g. ICO, CERT/CC, CISA, relevant ISAC), type of relationship, named internal owner, and last-reviewed date.
Test: Request the contacts register. Verify: (1) relevant regulatory authorities for the organization's jurisdictions are listed, (2) at least one security industry group or threat intelligence source is listed, (3) each entry has an internal owner, (4) the register has been reviewed within the last 12 months.
Evidence of active participation in or subscription to a security community or information sharing group.
Example: ISAC membership confirmation email, FS-ISAC or H-ISAC membership certificate, CISA alert subscription confirmation, or equivalent — dated within the last 12 months.
Test: Request membership or subscription confirmation for at least one threat intelligence sharing or industry group. Verify: (1) the subscription or membership is current (not expired), (2) it is relevant to the organization's industry and technology stack, (3) a named internal contact is responsible for receiving and acting on alerts.
Questions (2)
Does your organization maintain documented contacts with relevant regulatory authorities, law enforcement, and security industry groups?
A contacts register should list each relationship, the named internal owner, and a last-reviewed date — covering both regulatory authorities for operating jurisdictions and at least one threat intelligence sharing group.
Which of the following types of external security relationships does your organization actively maintain?
Active membership or subscription (not just registration) is the expected standard — confirm the subscription or membership is current and has a named internal owner.