On this page
- Quick Reference
- What the Standard Requires
- Why It Matters
- Scope and Applicability
- Key Definitions
- Relationship to Other Controls
- Implementation Roadmap
- Detailed Guidance
- Tools and Technologies
- Policy Templates and Documentation
- Risk Assessment
- Audit and Assessment Checklist
- Metrics and KPIs
- Common Pitfalls and How to Avoid Them
- Illustrative Scenarios
- Multi-Framework Mapping
- Regulatory and Compliance Context
- RACI Matrix
- Documentation and Record Keeping
- Continuous Improvement
- Toolkit Download
- Frequently Asked Questions
- References and Further Reading
Quick Reference
| Attribute | Detail |
|---|---|
| Control Number | A.5.5 |
| Control Title | Contact with Authorities |
| ISO 27001:2022 Domain | Organizational Controls (5) |
| Control Type | Preventive / Detective / Corrective |
| Information Security Attribute | Confidentiality, Integrity, Availability, Accountability |
| Maturity Model Level | Level 1–5 (covered in Section 20) |
| Typical Implementation Time | 1–3 months for basic; 3–6 months for regulated sectors |
| Estimated Annual overhead | – (compliance, legal support, staff time) |
| Primary Owner | CISO / Head of Information Security |
| Key Stakeholders | Legal, Compliance, Board/Executive, Government Relations, Incident Response |
| Audit Frequency | Annual + event-triggered |
| Regulatory Alignment | IT Act 2000, DPDP Act 2023, RBI, SEBI, IRDAI, NCIIPC, CERT-In, Sector-specific |
What the Standard Requires
ISO 27001:2022 Annex A 5.5 states:
ISO 27001:2022 Annex A 5.5 asks organizations to establish and maintain contact with relevant authorities.
This control requires organizations to:
- Identify relevant authorities, government bodies, regulatory agencies, law enforcement, and statutory bodies that have jurisdiction over the organization's information security activities
- Establish formal contact mechanisms, designate points of contact, maintain communication channels, and ensure accessibility
- Maintain ongoing relationships, regular engagement, not just reactive contact during incidents
- Report as required, submit mandatory reports, disclosures, and notifications in accordance with legal and regulatory requirements
- Coordinate during incidents, have pre-established channels for incident reporting, evidence preservation, and investigation support
- Stay informed of regulatory developments, track changes in laws, regulations, guidelines, and enforcement priorities that affect the organization's security obligations
The control encompasses both proactive engagement (building relationships before they are needed) and reactive engagement (reporting and coordination during incidents).
Why It Matters
Legal and Regulatory Compliance
Indian law mandates specific interactions with authorities for cybersecurity incidents:
- IT Act, 2000 (Section 70B): CERT-In has powers to issue directions for cybersecurity incident reporting
- CERT-In Directions (2022): Mandatory reporting of 20 categories of incidents within 6 hours for government organizations, critical infrastructure, and designated service providers
- DPDP Act 2023: Upcoming data breach notification requirements to the Data Protection Board
- Sectoral regulations: RBI, SEBI, IRDAI, TRAI, and others have specific reporting and coordination requirements
Failure to maintain contact with authorities can result in regulatory penalties, criminal liability, and loss of operating licenses. A bank that cannot report a cybersecurity incident to RBI within the required timeframe faces not just fines but potential restrictions on digital operations.
Incident Response Acceleration
Pre-established relationships with authorities dramatically accelerate incident response:
- CERT-In can provide technical assistance, threat intelligence, and coordination during major incidents
- Police cybercrime units (state and national) can initiate investigations, preserve evidence, and pursue attackers
- Sector regulators (RBI, SEBI) can provide guidance on customer communication, regulatory reporting, and operational continuity during breaches
- NCIIPC provides critical infrastructure protection support and sector-wide coordination
The 2023 Maze ransomware attack against an Indian pharmaceutical company demonstrated this: the company with pre-established CERT-In contact contained the breach in 48 hours, while a peer organization without such contact took 11 days to coordinate initial response.
Access to Government Threat Intelligence
Authorities possess intelligence that commercial providers cannot access:
- CERT-In receives international threat intelligence through FIRST and bilateral agreements
- NCIIPC has access to national security-level threat assessments for critical infrastructure
- State police cybercrime units have visibility into local threat actor activities, arrest records, and investigation outcomes
- NIA and IB (for critical national security matters) provide intelligence on APT groups targeting Indian interests
- Ministry of Home Affairs coordinates on national cybersecurity policy and threat landscape assessments
Regulatory Foresight and Preparation
Organizations with active authority engagement receive early warning of regulatory changes:
- Participation in RBI's cybersecurity consultations provides months of advance notice before new requirements take effect
- SEBI's working groups allow market participants to shape cybersecurity guidelines
- CERT-In workshops preview upcoming directions and compliance expectations
- DSCI's government liaison provides insight into DPDP Act implementation timelines and requirements
This foresight allows organizations to pre-position compliance investments, avoiding the scramble that follows surprise regulatory announcements.
Protection of National Interest
For organizations handling critical infrastructure, defense contracts, or sensitive national data, authority engagement is a matter of national security:
- NCIIPC mandates formal coordination for all Critical Information Infrastructure (CII) entities
- Defense contractors must coordinate with Defence Cyber Agency and Ministry of Defence security divisions
- Government organizations are required to implement CERT-In directions and participate in national cybersecurity exercises
- Telecom operators must coordinate with DoT on network security and surveillance requirements
Evidence Preservation and Legal Admissibility
Proper authority engagement ensures that incident evidence is preserved in a legally admissible manner:
- Police coordination ensures chain of custody for digital evidence
- Forensic protocols established with authorities improve evidence quality for prosecution
- Regulatory reporting creates contemporaneous records that may be valuable in litigation
- CERT-In incident reports provide official documentation of attack timelines and impact
Reputation and Trust Preservation
Organizations that demonstrate proactive authority engagement are viewed more favorably by regulators, customers, and partners:
- Regulatory trust reduces scrutiny and audit intensity
- Customer confidence improves when organizations can demonstrate government coordination
- Insurance benefits, cyber insurance underwriters view authority engagement as a positive risk factor
- Partner trust in supply chain security assessments
Access to Government Support Programs
Authorities offer support programs that organizations can only access through engagement:
- CERT-In cybersecurity awareness and training programs
- MeitY's cybersecurity R&D grants and innovation programs
- NCIIPC's sectoral capacity building and exercise programs
- State government cybersecurity initiatives and funding (e.g., Karnataka, Maharashtra)
- BIS standards development participation and early access to drafts
Scope and Applicability
In Scope
This control applies to:
- All organizations seeking ISO 27001 certification, regardless of size or sector
- Government organizations and public sector undertakings (mandatory engagement)
- Critical Information Infrastructure (CII) entities (mandatory NCIIPC coordination)
- Regulated entities (banks, NBFCs, insurance companies, securities market participants, telecom operators)
- Organizations handling sensitive personal data (DPDP Act compliance preparation)
- Organizations handling defense or national security contracts
- Any organization that may be subject to cybercrime investigation or incident reporting requirements
Organizational Size Considerations
Small Organizations (≤50 employees):
- Maintain basic CERT-In contact and advisory subscription
- Register with local police cybercrime unit
- Track sector-specific regulatory requirements
- Designate a single point of contact (typically the business owner or IT lead)
- Budget: –annually (primarily staff time)
Medium Organizations (50–500 employees):
- Maintain formal contact with CERT-In and relevant sector regulator
- Register with state and national police cybercrime units
- Establish legal counsel relationship for incident coordination
- Participate in regulatory workshops and consultations
- Budget: –annually
Large Organizations (≥500 employees) and Regulated Entities:
- Full authority engagement program with dedicated government liaison
- Formal NCIIPC coordination (if CII)
- Multi-level police contacts (local, state, national, cybercrime)
- Sector regulator working group participation
- Legal team with regulatory expertise
- Budget: –+ annually
Sector-Specific Authority Engagement
| Sector | Primary Authorities | Secondary Authorities |
|---|---|---|
| Banking & Finance | RBI, CERT-Fin, Indian Banking-ISAC | CERT-In, State Police, ED, SFIO, NABARD (for cooperative banks) |
| Securities Markets | SEBI, Stock Exchanges (NSE/BSE) | CERT-In, State Police, NCIIPC (for MIIs) |
| Insurance | IRDAI | CERT-In, State Police, NCIIPC (for critical insurance infrastructure) |
| Telecom | DoT, TRAI, CERT-In | State Police, NCIIPC (CII), Ministry of Home Affairs |
| Healthcare | CDSCO, State Health Departments, NABH | CERT-In, State Police, NCIIPC (for critical health infrastructure) |
| Energy/Power | CEA, Ministry of Power, NCIIPC | CERT-In, State Police, Power-ISAC |
| Government/Defense | NCIIPC, CERT-In, Defence Cyber Agency, NSCS | State Police, NIA, IB, MHA |
| IT/ITeS | MeitY, CERT-In, STPI | State Police, DSCI, NASSCOM |
| E-commerce | MeitY, Consumer Affairs, RBI (for payment) | CERT-In, State Police, FSSAI (for food delivery) |
| Manufacturing | Ministry of MSME/Industry, NCIIPC (if critical) | CERT-In, State Police, CII committees |
Key Definitions
| Term | Definition |
|---|---|
| Authority | A government body, regulatory agency, law enforcement organization, or statutory body with legal powers to regulate, investigate, or enforce cybersecurity and information security requirements |
| CERT-In | Indian Computer Emergency Response Team, the national agency for cybersecurity incident response, coordination, and advisory issuance under the IT Act |
| NCIIPC | National Critical Information Infrastructure Protection Centre, established under the IT Act to protect Critical Information Infrastructure |
| CII (Critical Information Infrastructure) | Computer resources whose incapacitation or destruction would have a debilitating impact on national security, economy, public health, or safety |
| Sector Regulator | An agency responsible for regulating a specific industry (RBI for banking, SEBI for securities, IRDAI for insurance, TRAI for telecom, etc.) |
| Police Cybercrime Unit | Specialized police units handling cybercrime investigations, evidence collection, and prosecution support |
| Government Liaison | A formal or designated role responsible for maintaining contact and coordinating with government authorities |
| Mandatory Reporting | Legal or regulatory requirements to report specific categories of incidents to designated authorities within defined timeframes |
| Voluntary Reporting | Submission of incident information or threat intelligence to authorities beyond mandatory requirements |
| Regulatory Consultation | Formal or informal processes through which regulators seek industry input before issuing rules or guidelines |
| Incident Coordination | Collaborative interaction between an organization and authorities during an active cybersecurity incident |
| Evidence Chain of Custody | Documented process ensuring digital evidence is preserved, transferred, and handled in a manner that maintains legal admissibility |
| Regulatory Sandbox | Controlled environment where organizations can test innovative security approaches with regulatory oversight |
| Enforcement Action | Regulatory penalties, fines, license restrictions, or criminal proceedings resulting from non-compliance |
Relationship to Other Controls
Directly Related Controls
| Control | Relationship |
|---|---|
| A.5.6, Contact with Special Interest Groups | Complementary; A.5.6 covers industry/community engagement, A.5.5 covers government/authority engagement. Together they provide complete external coverage. |
| A.5.7, Threat Intelligence | Government authorities provide unique threat intelligence not available through commercial or community channels. |
| A.5.24, Information Security Incident Management | Authority contact is essential for incident reporting, coordination, and investigation support. |
| A.5.34, Privacy and Protection of PII | DPDP Act and other privacy regulations create specific authority reporting obligations for data breaches. |
| A.5.37, Documented Operating Procedures | Authority contact procedures must be documented, including reporting workflows, escalation paths, and evidence handling. |
| A.6.8, Information Security Event Reporting | Internal event reporting feeds into external authority reporting when thresholds are met. |
Indirectly Related Controls
| Control | Relationship |
|---|---|
| A.5.18, Information Security in ICT Supply Chain | Government advisories on compromised vendors support supply chain risk management. |
| A.5.21, Managing Information Security in ICT | Regulatory guidance on cloud security, outsourcing, and emerging technology informs ICT security management. |
| A.5.28, Redundancy of Information Processing Facilities | Government disaster recovery requirements and sectoral continuity guidance inform redundancy planning. |
| A.8.8, Management of Technical Vulnerabilities | CERT-In and sector regulators issue vulnerability advisories and mandatory patching requirements. |
| A.8.22, Development, Testing & Production Environments | Government standards and testing requirements inform environment security. |
Implementation Roadmap
Phase 1: Identification and Registration (Weeks 1–4)
| Week | Activity | Deliverable |
|---|---|---|
| 1 | Identify all authorities with jurisdiction over your organization | Authority inventory with legal basis for engagement |
| 2 | Register with CERT-In portal and subscribe to advisories | CERT-In registration confirmation, advisory subscription |
| 3 | Register with state police cybercrime unit and obtain contacts | Police contact directory, registration acknowledgment |
| 4 | Identify and document sector regulator contacts and reporting requirements | Sector regulator contact matrix, reporting requirement summary |
Phase 2: Formalization (Weeks 5–8)
| Week | Activity | Deliverable |
|---|---|---|
| 5 | Designate authority liaison roles and backup contacts | Liaison designation letters, RACI matrix |
| 6 | Document reporting workflows, timelines, and escalation paths | Authority Contact Procedure document |
| 7 | Establish legal counsel relationship for incident support | Legal engagement letter, retainer agreement (if applicable) |
| 8 | Create authority contact directory with 24/7 contact methods | Authority Contact Directory v1.0 |
Phase 3: Operationalization (Weeks 9–12)
| Week | Activity | Deliverable |
|---|---|---|
| 9 | Conduct first regulatory workshop/webinar attendance | Attendance records, key takeaways, action items |
| 10 | Test incident reporting workflow with tabletop exercise | Exercise report, workflow improvement actions |
| 11 | Submit first voluntary advisory feedback or non-mandatory report | Submission records, feedback acknowledgment |
| 12 | Conduct 90-day program review | Phase 1 review report, improvement plan |
Phase 4: Maturity (Months 4–12)
| Month | Activity | Deliverable |
|---|---|---|
| 4–6 | Participate in sectoral exercises, consultations, or working groups | Participation records, contributed inputs |
| 7–9 | Establish NCIIPC coordination (if CII) or deepen regulator engagement | NCIIPC registration, coordination records |
| 10–12 | Annual program review, regulatory update assessment, and strategic planning | Annual authority engagement report, budget plan |
Detailed Guidance
Complete Authority Inventory
Organizations must systematically identify all authorities with which they must or should maintain contact. Use this framework:
Tier 1, National Cybersecurity Bodies (Mandatory for All)
- CERT-In: National incident response, advisories, mandatory reporting (for designated entities)
- NCIIPC: Critical infrastructure protection (mandatory for CII entities)
- National Cybercrime Reporting Portal: Cybercrime reporting (cybercrime.gov.in)
- MeitY: IT policy, STPI, cybersecurity R&D programs
Tier 2, Law Enforcement (Mandatory for Incident Reporting)
- State Police Cybercrime Cells: Local cybercrime investigation and reporting
- Cybercrime Coordination Centre (I4C): National cybercrime coordination
- CBI Cybercrime Division: High-profile or interstate cybercrime cases
- Economic Offences Wing: Financial cybercrime (for banking/finance fraud)
- State Crime Investigation Departments: Organized cybercrime, cyberterrorism
Tier 3, Sector Regulators (Mandatory for Regulated Entities)
- RBI: Banking, NBFCs, payment systems, UPI operators
- SEBI: Securities markets, stock exchanges, depositories, brokers
- IRDAI: Insurance companies, insurance intermediaries
- TRAI: Telecom service providers, ISPs
- PFRDA: Pension funds, NPS providers
- RERA: Real estate portals (for data protection)
Tier 4, Data Protection and Privacy Authorities
- Data Protection Board of India (under DPDP Act, once operationalized)
- MeitY (interim data protection coordination until DPDP Board is fully functional)
- State Information Commissions (under RTI Act for information access matters)
Tier 5, Specialized and Emerging Bodies
- Defence Cyber Agency: For defense contractors and strategic sector organizations
- National Security Council Secretariat (NSCS): For national security-related cybersecurity
- NIA: For cyberterrorism and national security incidents
- ED (Enforcement Directorate): For cybercrime-related financial investigations
- SFIO (Serious Fraud Investigation Office): For corporate fraud involving cyber elements
- Income Tax Department: For tax-related cyber fraud and data breaches
- CBDT (Central Board of Direct Taxes): For data breach reporting related to tax data
Tier 6, Local and State Bodies
- State CERTs (Maharashtra, Karnataka, etc.): Localized incident response and advisories
- State IT Departments: State cybersecurity policies and initiatives
- State Police: General law enforcement for cybercrime incidents
- District Cybercrime Cells: Local cybercrime reporting and investigation
- Municipal Bodies: For smart city and critical urban infrastructure
CERT-In Engagement Framework
CERT-In is the foundational authority engagement for virtually all Indian organizations.
Registration:
- Visit cert-in.org.in
- Register your organization with valid email domain
- Subscribe to CERT-In advisories (free email subscription)
- Download and review the "Information Security Directions" (2022)
Mandatory Reporting (for designated entities):
- 20 categories of incidents must be reported within 6 hours
- Categories include: data breaches, malware, DDoS, ransomware, APT, supply chain attacks, cloud security incidents, IoT attacks, etc.
- Designated entities include: government organizations, CII entities, intermediary/service providers, and corporate bodies with significant IT infrastructure
- Report through CERT-In's online portal or designated communication channels
Voluntary Engagement:
- Participate in CERT-In workshops and capacity-building programs
- Respond to CERT-In surveys and information requests
- Provide feedback on advisories and directions
- Participate in CERT-In coordinated exercises (cyber drills)
- Engage with CERT-In for vulnerability disclosure coordination
Incident Coordination:
- Contact CERT-In during major incidents for technical assistance
- Coordinate on threat intelligence sharing during active campaigns
- Request forensic support or investigation coordination for significant incidents
- Participate in post-incident reviews with CERT-In when requested
NCIIPC Engagement for CII Entities
Organizations designated as Critical Information Infrastructure (CII) have mandatory NCIIPC engagement.
CII Identification:
- Sectors: Energy, Banking & Finance, Telecom, Transport, Government, Defense, Space, Law Enforcement, Health, Water, Digital Infrastructure
- NCIIPC notifies organizations of CII designation
- Organizations may also self-assess and seek CII determination
Mandatory NCIIPC Engagement:
- Register with NCIIPC upon CII designation
- Designate NCIIPC liaison within the organization
- Implement NCIIPC sectoral guidelines and advisories
- Participate in NCIIPC sectoral risk assessment and coordination
- Report significant incidents to NCIIPC (in addition to CERT-In)
- Participate in NCIIPC exercises and capacity-building programs
- Allow NCIIPC audits and assessments as required
NCIIPC Coordination Activities:
- Sectoral working group participation
- Threat intelligence sharing through NCIIPC channels
- Joint incident response planning with sector peers
- Infrastructure vulnerability assessment coordination
- Crisis management and continuity planning alignment
Sector Regulator Engagement
Banking (RBI):
- RBI Cybersecurity Framework compliance reporting
- Incident reporting to RBI's Department of Information Technology and CERT-Fin
- Participation in RBI's cybersecurity awareness programs
- Engagement with IDRBT for research and advisory
- RBI's "Cybersecurity Alerts" monitoring and response
- Annual cyber drills coordinated by RBI
- Reporting under the Digital Payment Security Control framework
Securities (SEBI):
- SEBI Cybersecurity Guidelines compliance for MIIs and intermediaries
- Cybersecurity incident reporting to SEBI
- Participation in SEBI cybersecurity audits and reviews
- Engagement with stock exchange cybersecurity teams (NSE, BSE)
- Reporting on cybersecurity posture in periodic compliance filings
Insurance (IRDAI):
- IRDAI Cybersecurity Guidelines compliance reporting
- Incident reporting to IRDAI IT Department
- Participation in IRDAI cybersecurity consultations
- Coordination on customer data protection and breach notification
Telecom (DoT/TRAI):
- DoT security directives compliance (licensing conditions)
- TRAI consultations on network security and data protection
- Reporting on network security incidents
- Coordination with Telecom-ISAC and DoT security division
- Compliance with encryption and lawful interception requirements
Law Enforcement Engagement
Police Cybercrime Unit Engagement:
- Identify the relevant police cybercrime unit for your jurisdiction (state cybercrime cell)
- Register your organization and obtain primary/secondary contact details
- Understand local cybercrime reporting procedures and requirements
- Establish relationship with the Station House Officer (SHO) or cybercrime Inspector
- For organizations with multi-state presence, maintain contacts in all relevant states
When to Contact Law Enforcement:
- Criminal cyberattacks (ransomware, unauthorized access, data theft with criminal intent)
- Financial fraud involving cyber elements
- Insider threats with criminal behavior
- Attacks on critical infrastructure with potential criminal attribution
- Evidence of APT activity with potential national security implications
- Cases requiring investigation, arrest, or prosecution
Evidence Preservation for Law Enforcement:
- Establish evidence preservation procedures that align with legal requirements
- Maintain chain of custody documentation
- Preserve logs, disk images, and network captures in forensically sound manner
- Coordinate with legal counsel before sharing evidence
- Understand that law enforcement may seize devices or require access to systems
- Document all evidence handling for legal admissibility
24/7 Contact Requirements:
- Cybercrime incidents often require immediate law enforcement notification
- Maintain 24/7 contact methods for critical incidents (not just business hours)
- Pre-agree communication channels for emergency incidents
- Have legal counsel available for after-hours incident support
Building Effective Government Relationships
Professionalism and Respect:
- Government officials operate under different constraints than private sector
- Be patient with bureaucratic processes and response times
- Respect hierarchy and chain of command in government organizations
- Understand that government officials may have limited technical depth, communicate clearly
- Build relationships with mid-level officials (who often have more operational flexibility than senior officers)
Proactive Engagement:
- Don't wait for incidents to establish contact
- Attend government workshops, seminars, and outreach programs
- Participate in regulatory consultations and working groups
- Provide constructive feedback on draft guidelines and advisories
- Offer to host or sponsor government cybersecurity awareness events
- Share anonymized threat intelligence proactively (where appropriate)
Reciprocity:
- Respond to government information requests promptly
- Provide accurate data for surveys and assessments
- Participate in government-coordinated exercises even when not mandatory
- Offer industry expertise for policy development and standards creation
- Acknowledge government support in public communications (when appropriate)
Confidentiality and Sensitivity:
- Be mindful of what you share with different authority levels
- Classify information appropriately for government sharing
- Understand that government bodies may have different confidentiality obligations than industry groups
- Obtain legal advice before sharing sensitive competitive or business information
- Be aware that information shared with government may be subject to RTI disclosure
Tools and Technologies
CERT-In Portal and Resources
| Resource | Purpose | Access |
|---|---|---|
| CERT-In Website | Advisories, guidelines, registration | cert-in.org.in |
| CERT-In Incident Reporting Portal | Online incident reporting | Portal registration required |
| CERT-In Advisory Subscription | Email alerts for new advisories | Free subscription |
| CERT-In Botnet Cleaning and Malware Analysis Centre | Botnet detection and cleaning support | Free service |
| CERT-In Training Programs | Capacity building and awareness | Registration required |
NCIIPC Resources
| Resource | Purpose | Access |
|---|---|---|
| NCIIPC Website | Guidelines, advisories, CII resources | nciipc.gov.in |
| NCIIPC Sectoral Coordination | Sector-specific guidance and contacts | CII registration required |
| NCIIPC Reporting Channels | Incident reporting for CII entities | Registered contact access |
Government Reporting Platforms
| Platform | Purpose | URL/Access |
|---|---|---|
| National Cybercrime Reporting Portal | Citizen and organizational cybercrime reporting | cybercrime.gov.in |
| I4C (Indian Cybercrime Coordination Centre) | National cybercrime coordination | Via police channels |
| RBI CMS (Complaint Management System) | Banking-related complaints | cms.rbi.org.in |
| SEBI SCORES | Securities market complaints | scores.gov.in |
| TRAI Telecom Complaints | Telecom consumer complaints | trai.gov.in/complaints |
Communication and Documentation Tools
| Tool | Purpose |
|---|---|
| Government Email Systems | Formal communication with authorities (maintain official records) |
| Secure Messaging | Sensitive incident coordination (Signal, government-approved channels) |
| Document Management | Evidence preservation, reporting records, correspondence logs |
| CRM/Contact Management | Authority contact directory and relationship tracking |
| Ticketing Systems | Tracking incident reporting and authority responses |
| SIEM/Log Management | Evidence collection and preservation for investigations |
Policy Templates and Documentation
Authority Contact Policy (Template)
Template
Authority Contact and Engagement Policy
1. Purpose
This policy establishes how [Organization Name] maintains contact with government authorities, regulatory bodies, and law enforcement agencies for cybersecurity incident reporting, coordination, and compliance.
2. Scope
Applies to all employees, contractors, and third parties who may interact with authorities on behalf of the organization regarding information security matters.
3. Policy Statements
3.1 Authority Identification:
- The organization maintains an inventory of all authorities with jurisdiction over its operations
- This inventory is reviewed quarterly and updated when regulatory changes occur
- The CISO maintains ultimate accountability for authority engagement
3.2 Liaison Designation:
- Primary and secondary liaison roles are designated for each authority
- Liaisons have authority to interact with authorities on behalf of the organization
- Backup liaisons are designated for continuity
3.3 Mandatory Reporting:
- All mandatory reporting requirements are documented with timelines and procedures
- Reporting workflows are tested annually through tabletop exercises
- Legal review is required before all mandatory reports
- Failure to report as required is treated as a serious compliance violation
3.4 Voluntary Engagement:
- Voluntary engagement with authorities is encouraged but must be coordinated through the CISO
- Information shared voluntarily must be reviewed for confidentiality and legal exposure
- Staff must not commit the organization to obligations without authorization
3.5 Incident Coordination:
- Authority contact during incidents follows the documented incident response plan
- Evidence preservation procedures must be followed to maintain legal admissibility
- Legal counsel must be involved in all law enforcement coordination
- All authority interactions during incidents are documented
3.6 Confidentiality and Privilege:
- Authority interactions may be subject to legal privilege or confidentiality obligations
- Legal counsel reviews all sensitive communications with authorities
- Staff are trained on confidentiality requirements for authority engagement
4. Roles and Responsibilities
- CISO: Overall authority engagement program ownership
- Legal Counsel: Review of reports, evidence handling, privilege protection
- Compliance Officer: Regulatory requirement tracking and compliance verification
- Security Manager: Day-to-day liaison coordination and operational engagement
- Incident Response Lead: Authority coordination during incidents
- Board/Executive: Strategic oversight and escalation point
5. Violations
Unauthorized authority contact, failure to report as required, or improper information sharing may result in disciplinary action up to and including termination. Regulatory non-compliance may result in additional legal penalties.
6. Review
This policy is reviewed quarterly for regulatory changes and annually for complete update.
Approved by: _______________ Date: _______________ Board / CISO
Incident Reporting Procedure (Template)
Template
Authority Incident Reporting Procedure
1. Purpose
Defines how the organization reports cybersecurity incidents to relevant authorities.
2. Incident Categories and Reporting Requirements
| Category | Authority | Timeline | Trigger |
|---|---|---|---|
| Data breach (personal data) | CERT-In + DPDP Board (when operational) | 6 hours (CERT-In for designated entities) | Confirmed unauthorized access to personal data |
| Ransomware | CERT-In + Police | 6 hours (CERT-In) + immediate (police) | Ransomware deployment or extortion demand |
| APT/Sophisticated attack | CERT-In + NCIIPC (if CII) | 6 hours | Confirmed APT activity or nation-state attribution |
| DDoS (significant) | CERT-In + Sector Regulator | 6 hours | Service disruption > defined threshold |
| Financial fraud | Police + Sector Regulator + CERT-In | Immediate (police) + 6 hours (CERT-In) | Confirmed financial loss or fraud |
| Supply chain compromise | CERT-In | 6 hours | Confirmed supply chain attack |
| Cloud security incident | CERT-In | 6 hours | Significant cloud infrastructure compromise |
| Insider threat (criminal) | Police + CERT-In | Immediate (police) + 6 hours (CERT-In) | Criminal insider activity |
3. Reporting Workflow
Step 1: Detection and Triage (0–1 hour)
- Incident detected and triaged by SOC/Incident Response team
- Initial severity assessment and category determination
- Incident Response Lead notified
Step 2: Authority Notification Decision (1–2 hours)
- Incident Response Lead determines if incident meets reporting thresholds
- Legal counsel consulted for reporting requirements and privilege considerations
- CISO notified for high-severity incidents
Step 3: Report Preparation (2–4 hours)
- Draft incident report with known facts (not speculation)
- Legal review of report content
- Evidence preservation initiated
- Redacted versions prepared for different authorities if needed
Step 4: Authority Notification (within mandated timeline)
- Submit report through designated channels (portal, email, phone)
- Obtain acknowledgment of receipt
- Log submission timestamp and reference number
- Notify relevant internal stakeholders
Step 5: Ongoing Coordination
- Maintain communication with authorities during incident response
- Provide updates as new information becomes available
- Respond to authority requests for additional information
- Coordinate on evidence handling and investigation support
Step 6: Post-Incident Closure
- Submit final incident report if required
- Participate in post-incident review with authorities if requested
- Update authority contact records and lessons learned
4. Evidence Preservation
- All evidence preserved according to forensic best practices
- Chain of custody maintained for all physical and digital evidence
- Legal counsel reviews evidence handling procedures
- Evidence shared with authorities only through approved channels
5. Documentation
- All reporting activities logged in the incident management system
- Authority correspondence maintained in the legal document repository
- Reporting timelines documented for compliance evidence
Risk Assessment
Risks of NOT Engaging with Authorities
| Risk | Likelihood | Impact | Risk Score | Mitigation |
|---|---|---|---|---|
| Regulatory penalty for non-reporting | High | High | Critical | Implement mandatory reporting procedures and tracking |
| Criminal liability for concealment | Medium | High | High | Legal review of all incident reporting decisions |
| Delayed incident response | High | High | Critical | Pre-establish authority contacts and coordination channels |
| Loss of operating license | Low | Very High | High | Maintain regulator engagement and compliance |
| Evidence inadmissibility | Medium | Medium | Medium | Establish forensic evidence handling with legal oversight |
| Missed government threat intelligence | High | Medium | High | Subscribe to CERT-In and regulator advisories |
| Regulatory surprise (new requirements) | Medium | High | High | Participate in regulatory consultations and working groups |
| Reputational damage from non-cooperation | Medium | Medium | Medium | Demonstrate proactive authority engagement |
Risks of Authority Engagement
| Risk | Likelihood | Impact | Risk Score | Mitigation |
|---|---|---|---|---|
| Information exposure through government channels | Medium | High | High | Legal review, classification, and controlled sharing |
| Regulatory overreach or excessive scrutiny | Low | Medium | Low | Professional engagement, legal counsel, documented compliance |
| Reputational damage from public disclosure | Medium | High | High | Manage public communication, legal privilege claims |
| Resource drain from engagement activities | Medium | Medium | Medium | Prioritize engagement, use efficiency tools, track ROI |
| Miscommunication with authorities | Medium | Medium | Medium | Clear communication protocols, trained liaisons, legal review |
| Political or bureaucratic interference | Low | Medium | Low | Professional boundaries, legal protection, executive oversight |
Risk Treatment Plan
| Risk | Treatment | Owner | Timeline |
|---|---|---|---|
| Regulatory non-reporting | Implement automated tracking and escalation for reporting deadlines | Compliance Officer | 1 month |
| Information exposure | Legal review workflow, classification, and controlled sharing | Legal / CISO | 1 month |
| Delayed incident response | Pre-established contacts, 24/7 coordination procedures, regular testing | Incident Response Lead | 2 months |
| Resource drain | Engagement prioritization, delegation, and efficiency optimization | Security Manager | Ongoing |
Audit and Assessment Checklist
Documentation Review
- Is there a documented Authority Contact and Engagement Policy?
- Is there an inventory of all relevant authorities with jurisdiction?
- Is there a documented incident reporting procedure with timelines and workflows?
- Is there an authority contact directory with 24/7 contact methods?
- Are liaison roles formally designated with primary and backup contacts?
- Is there evidence of authority registration (CERT-In, NCIIPC, etc.)?
- Are mandatory reporting requirements documented with legal basis?
- Is there evidence of legal review for reporting procedures and authority communications?
- Are evidence preservation and chain of custody procedures documented?
- Is there a record of authority engagement (reports, correspondence, meeting records)?
- Is there evidence of annual/quarterly policy review?
- Are staff training records on authority engagement maintained?
Implementation Review
- Has the organization registered with CERT-In and subscribed to advisories?
- Has the organization registered with relevant state police cybercrime units?
- Are sector regulator contacts established and documented?
- Is there evidence of active authority engagement (not just passive registration)?
- Has the incident reporting workflow been tested (tabletop exercise)?
- Is there evidence of authority advisory monitoring and response?
- Are reporting deadlines tracked and met?
- Is there evidence of participation in regulatory workshops or consultations?
- Are 24/7 authority contact methods maintained and tested?
- Is there evidence of CII coordination with NCIIPC (if applicable)?
Compliance Review
- Is the organization meeting all mandatory reporting requirements?
- Is there evidence of compliance with CERT-In directions?
- Is there evidence of compliance with sector-specific regulatory requirements?
- Is the organization prepared for DPDP Act data breach notification requirements?
- Are there records of all regulatory submissions and correspondence?
- Is there evidence of regulatory update monitoring and adaptation?
- Has the organization participated in any regulatory audits or assessments?
- Is there documentation of any regulatory findings and remediation?
Metrics and KPIs
Engagement Metrics
| KPI | Formula | Target | Frequency |
|---|---|---|---|
| Authority Registration Completeness | % of identified authorities with active registration | 100% | Quarterly |
| Liaison Designation Coverage | % of authorities with designated primary and backup liaisons | 100% | Quarterly |
| Advisory Subscription Count | Number of authority advisory channels subscribed | ≥5 | Monthly |
| Regulatory Workshop Attendance | Number of workshops/webinars attended annually | ≥4 per year | Annual |
| 24/7 Contact Test Success Rate | % of 24/7 contacts successfully tested | 100% | Quarterly |
Reporting Metrics
| KPI | Formula | Target | Frequency |
|---|---|---|---|
| Mandatory Reporting Compliance | % of reportable incidents reported within mandated timeline | 100% | Per incident |
| Reporting Accuracy | % of reports accepted without correction by authority | ≥95% | Annual |
| Average Report Preparation Time | Hours from incident detection to report submission | ≤4 hours | Per incident |
| Report Tracking Completion | % of reports with documented acknowledgment | 100% | Per incident |
| Regulatory Submission Timeliness | % of regulatory submissions on time | 100% | Quarterly |
Operational Metrics
| KPI | Formula | Target | Frequency |
|---|---|---|---|
| Incident Response Coordination Time | Hours from incident declaration to authority notification | ≤2 hours | Per incident |
| Evidence Preservation Success | % of incidents with forensically sound evidence preservation | 100% | Per incident |
| Chain of Custody Compliance | % of evidence transfers with complete chain of custody | 100% | Per incident |
| Legal Review Completion | % of authority-bound reports with legal review | 100% | Per incident |
| Authority Response Time | Average hours for authority to acknowledge or respond | ≤24 hours | Quarterly |
Compliance and Foresight Metrics
| KPI | Formula | Target | Frequency |
|---|---|---|---|
| Regulatory Update Tracking | Number of regulatory changes tracked and assessed | All relevant | Quarterly |
| Compliance Preparation Lead Time | Days between regulatory announcement and implementation readiness | ≥30 days | Per regulation |
| Regulatory Finding Count | Number of regulatory audit findings related to authority engagement | 0 | Annual |
| CII Coordination Participation | Number of NCIIPC exercises or programs participated in (if CII) | ≥2 per year | Annual |
| Policy Currency | Days since last authority contact policy review | ≤90 days | Quarterly |
overhead and Value Metrics
| KPI | Formula | Target | Frequency |
|---|---|---|---|
| Engagement Program overhead | Total annual impact of authority engagement | ≤ | Annual |
| Penalty Avoidance | Estimated penalties avoided through compliance | ≥ | Annual |
| Incident Response Efficiency | overhead reduction in incident response due to authority coordination | ≥20% | Annual |
| Regulatory Foresight Value | Estimated efficiency gains from early regulatory preparation | ≥ | Annual |
Common Pitfalls and How to Avoid Them
Reactive Engagement Only
Pitfall: Only contacting authorities during incidents, with no prior relationship or established procedures. Impact: Delayed response, authority unfamiliarity with your organization, missed cooperation opportunities, regulatory suspicion. Solution: Establish proactive engagement before incidents occur. Register, subscribe, attend workshops, and build relationships during calm periods.
Inconsistent or Outdated Contact Information
Pitfall: Authority contacts not updated, resulting in failed communications during incidents. Impact: Delayed reporting, missed coordination windows, compliance violations. Solution: Quarterly contact directory reviews, subscription to authority update notifications, verification of 24/7 contact methods.
Inadequate Legal Review
Pitfall: Sharing information with authorities without legal review, exposing the organization to liability or compromising legal privilege. Impact: Regulatory penalties, litigation exposure, waiver of legal privilege, competitive disadvantage. Solution: Mandatory legal review for all authority-bound reports and communications, privilege-preservation procedures, legal counsel training on cybersecurity issues.
Failure to Track Regulatory Changes
Pitfall: Missing updates to reporting requirements, new regulations, or changed compliance expectations. Impact: Regulatory non-compliance, surprise audit findings, penalties. Solution: Regulatory update monitoring system, participation in consultations, legal counsel alertness, subscription to regulatory update services.
Over-Reporting or Under-Reporting
Pitfall: Reporting incidents that don't meet thresholds (wasting authority resources and creating unnecessary scrutiny) or failing to report incidents that do meet thresholds (non-compliance). Impact: Authority fatigue, credibility loss, or regulatory penalties. Solution: Clear reporting thresholds documented in procedures, legal review of borderline cases, regular training on reporting requirements.
Poor Evidence Preservation
Pitfall: Failing to preserve evidence in a forensically sound manner, compromising investigation and legal proceedings. Impact: Evidence inadmissibility, failed prosecutions, regulatory criticism, inability to prove claims. Solution: Forensic evidence handling procedures, chain of custody protocols, trained staff, legal counsel oversight, use of certified forensic tools.
Lack of Board/Executive Awareness
Pitfall: Authority engagement treated as purely operational, without board-level awareness or strategic alignment. Impact: Insufficient resource allocation, missed strategic implications, inadequate executive support during crises. Solution: Board-level reporting on authority engagement, executive briefing on regulatory landscape, strategic risk discussions including authority relationships.
Single Point of Failure
Pitfall: Only one person knows authority contacts and procedures, creating vulnerability if that person is unavailable. Impact: Inability to report during incidents, compliance failures, response delays. Solution: Primary and backup liaisons for all authorities, documented procedures accessible to incident response team, cross-training on authority engagement.
Ignoring Local Authorities
Pitfall: Focusing only on national bodies (CERT-In, NCIIPC) while neglecting state police, state CERTs, and local bodies. Impact: Delayed local law enforcement response, missed localized threat intelligence, incomplete regulatory coverage. Solution: Complete authority inventory including all levels of government, state-specific registration and contact, participation in local cybersecurity initiatives.
Treating Engagement as a Checkbox
Pitfall: Going through the motions of registration and reporting without genuine engagement or strategic value extraction. Impact: Missed intelligence, superficial relationships, audit findings on engagement effectiveness. Solution: Active participation in workshops, proactive intelligence sharing, relationship building, feedback provision, genuine contribution to government initiatives.
Illustrative Scenarios
Illustrative scenario, a composite example for guidance, not a specific Singahi engagement or a verified outcome.
Illustrative Scenario 1: Indian Private Sector Bank, RBI and CERT-In Coordination During Nation-State APT Campaign
Organization: Large private sector bank with 10,000+ employees, 2,000 branches, significant international operations Sector: Banking and Financial Services Challenge: The bank detected sophisticated, long-term APT activity targeting its SWIFT infrastructure and international payment systems. The attack appeared to be nation-state sponsored, with tactics consistent with known APT groups targeting financial institutions in South Asia.
Pre-Incident Engagement:
- The bank had maintained active engagement with RBI's CERT-Fin since 2019
- Participated in RBI's annual cyber drills and exercises
- Maintained formal liaison with CERT-In, including quarterly coordination calls
- Registered with the state police cybercrime cell in Mumbai (headquarters location)
- Had legal counsel with specific expertise in cybercrime and financial regulations
- Conducted semi-annual tabletop exercises including authority coordination scenarios
Incident Timeline:
Day 1 (Detection):
- SOC detected anomalous SWIFT gateway activity at 02:30 AM
- Incident Response team activated within 30 minutes
- CISO notified at 03:00 AM
- By 04:00 AM, preliminary analysis confirmed APT activity with nation-state indicators
- CISO decided to activate authority coordination at 04:30 AM
Day 1 (Authority Coordination):
- 05:00 AM: Contacted CERT-In through the 24/7 incident hotline (pre-established contact)
- 05:30 AM: Notified RBI CERT-Fin through the designated liaison channel
- 06:00 AM: Engaged legal counsel for reporting strategy and privilege protection
- 07:00 AM: Contacted Mumbai Police Cybercrime Cell for investigation support
- 08:30 AM: Submitted initial incident report to CERT-In (within 6-hour window for designated entities)
- 09:00 AM: Submitted regulatory notification to RBI with initial assessment
- 10:00 AM: CERT-In coordinated with international partners (through FIRST membership) to share IOCs
- 11:00 AM: RBI provided guidance on customer communication and operational continuity
Day 1–3 (Response and Investigation):
- CERT-In provided technical assistance and threat intelligence on the specific APT group
- RBI coordinated with other banks to check for similar activity (sector-wide protection)
- Mumbai Police initiated investigation and evidence collection
- International law enforcement (FBI, NCA) was engaged through government channels
- The bank preserved evidence with full chain of custody, supported by forensic specialists
- Legal counsel managed privilege and disclosure considerations throughout
Outcome:
- The APT activity was contained within 72 hours
- No fraudulent SWIFT transfers were executed (the detection was early enough)
- Estimated loss avoidance: –40 crores (based on attempted transfer amounts and historical APT financial theft)
- The bank's swift response and authority coordination was praised by RBI in a subsequent sector briefing
- No regulatory penalties were imposed, the bank was viewed as a model for incident response
- The bank's relationships with authorities were strengthened, leading to priority intelligence sharing in subsequent months
- Two bank employees were later invited to speak at CERT-In and RBI workshops on incident response
Key Success Factors:
- Pre-established relationships eliminated the relationship-building delay during crisis
- 24/7 contact methods worked as planned, all authorities responded within expected timeframes
- Legal counsel involvement from the outset protected privilege and managed disclosure
- RBI coordination enabled sector-wide protection, preventing peer banks from being victimized
- Evidence handling procedures ensured legal admissibility for potential prosecution
- Board and executive awareness ensured resource availability and strategic decision support
Lessons Learned:
- The 6-hour reporting window is tight but achievable with pre-established procedures
- Authority coordination during complex incidents requires dedicated staff, not just ad-hoc attention
- International coordination requires government channels, direct law enforcement contact is insufficient for cross-border cases
- Post-incident, the bank expanded its authority engagement program to include NCIIPC and international coordination channels
Quote from CISO:
"At 4 AM on the worst day of my professional life, I was able to call people I knew by name at CERT-In and RBI. Those relationships, built over years of workshops and consultations, saved us. The technical response was good, but the authority coordination was what prevented a catastrophic financial and reputational disaster."
Illustrative Scenario 2: Indian Health Tech Startup, DPDP Act Preparation Through Regulatory Engagement
Organization: Health tech startup (150 employees) providing telemedicine and patient data management platform to 500+ hospitals and clinics across India Sector: Healthcare / Information Technology Challenge: The Digital Personal Data Protection Act (DPDP Act) was passed in 2023, creating significant uncertainty about compliance requirements, breach notification timelines, and regulator expectations. The organization needed to prepare for implementation while the regulatory framework was still being operationalized.
Engagement Strategy:
- The startup's Compliance Officer and CISO (external consultant) decided on proactive regulatory engagement rather than waiting for formal rules
- Joined DSCI's DPDP Act working group and consultation sessions in 2023–2024
- Participated in MeitY's stakeholder consultations on DPDP rules
- Engaged with the proposed Data Protection Board through DSCI's liaison
- Maintained contact with CDSCO on medical data protection requirements
- Registered with CERT-In for advisory and incident reporting
- Participated in NABH's cybersecurity consultations for hospital accreditation
Journey:
Phase 1: Intelligence Gathering (Months 1–3)
- Through DSCI consultations, the team gained early visibility into expected breach notification timelines (likely 72 hours for initial notification)
- Learned that the Data Protection Board would expect specific categories of documentation for breach reports
- Understood that medical data would likely be classified as "sensitive personal data" with stricter requirements
- Identified that consent management would be a major compliance area requiring platform redesign
- impact of this intelligence: (DSCI membership + workshop attendance) vs. estimated + for equivalent consultant research
Phase 2: Implementation Preparation (Months 4–6)
- Used DSCI's DPDP Act readiness framework (shared with members) to conduct a gap assessment
- Implemented technical controls informed by regulatory expectations: encryption, access logging, data retention limits, consent management
- Redesigned patient data platform to include automated breach detection and notification workflows
- Prepared breach notification templates based on DSCI's shared guidance
- Trained clinical and technical staff on DPDP Act requirements using DSCI training materials
- Documented all processing activities in a format informed by regulatory consultation inputs
Phase 3: Readiness and Competitive Advantage (Months 7–9)
- When the Data Protection Board's draft rules were published, the organization had already implemented 80% of expected requirements
- The startup was able to market itself as "DPDP Act ready" to hospital clients, winning 3 major contracts worth s annually
- A competitor (without similar engagement) was scrambling to implement controls after the rules were published, losing a major client to this startup
- The organization was invited to speak at a DSCI conference on "DPDP readiness for health tech", enhancing brand positioning
- When the first CERT-In advisory on health sector data breaches was issued, the organization was already compliant with the recommended controls
Outcome:
- Regulatory preparation overhead: total (engagement + technical implementation) vs. estimated for reactive compliance
- Competitive advantage: s in new contracts directly attributed to DPDP readiness
- Risk reduction: Breach notification readiness reduced potential penalties from estimated s to near-zero (assuming good-faith compliance)
- Industry positioning: Recognized as a thought leader in health data protection
- Investor confidence: Series B investors specifically cited regulatory readiness as a factor in investment decision
Key Success Factors:
- Proactive engagement before regulations were finalized allowed influence and preparation
- DSCI membership provided structured guidance and peer learning
- Technical implementation was informed by regulatory expectations, not generic best practices
- The organization balanced compliance preparation with business opportunity capture
- Regulatory engagement was treated as a strategic investment, not just a compliance overhead
Lessons Learned:
- Regulatory engagement during formulation (not just after implementation) provides massive competitive advantage
- Industry associations (DSCI) provide structured guidance that individual consultant research cannot match
- Health tech sector faces dual regulatory pressure (health + data protection) requiring coordinated engagement
- Early preparation allows marketing of compliance as a competitive differentiator
- The impact of proactive engagement is 5–10x lower than reactive compliance
Quote from Compliance Officer:
"We spent on regulatory engagement and won s in contracts because of it. Our competitor spent on consultants after the rules came out and still lost a major client to us. The ROI on regulatory engagement isn't just about compliance, it's about winning in the market."
Multi-Framework Mapping
NIST CSF 2.0 Mapping
| NIST CSF Function | Category | Subcategory | Mapping to A.5.5 |
|---|---|---|---|
| GOVERN (GV) | GV.RM | GV.RM-04 | Regulatory compliance and authority engagement informs risk management |
| GOVERN (GV) | GV.PO | GV.PO-03 | Authority policies and procedures guide organizational security policy |
| IDENTIFY (ID) | ID.GV | ID.GV-04 | Authority guidance informs governance and risk identification |
| DETECT (DE) | DE.AE | DE.AE-06 | Authority advisories enhance anomaly detection and event analysis |
| RESPOND (RS) | RS.CO | RS.CO-02 | Authority coordination supports incident response communication |
| RESPOND (RS) | RS.CO | RS.CO-05 | External coordination with authorities during incidents |
| RESPOND (RS) | RS.AN | RS.AN-04 | Authority intelligence informs incident analysis |
| RECOVER (RC) | RC.CO | RC.CO-02 | Authority coordination during recovery and restoration |
PCI DSS v4.0 Mapping
| PCI DSS Requirement | Mapping to A.5.5 |
|---|---|
| 12.10.1, Incident response plan | Authority contact and reporting are components of incident response |
| 12.10.2, Incident response procedures | Authority notification procedures support incident response |
| 12.10.5, Incident response testing | Authority coordination should be included in incident response testing |
| 12.11.2, Security reviews | Regulatory compliance reviews include authority engagement |
SOC 2 Type II Mapping
| TSC Category | Mapping to A.5.5 |
|---|---|
| CC7.3, Incident response | Authority coordination supports incident response capabilities |
| CC9.1, Risk identification | Authority engagement provides regulatory risk intelligence |
| CC9.2, Risk assessment | Regulatory compliance risk assessment includes authority requirements |
| CC1.4, Board oversight | Board awareness of authority engagement and compliance |
| CC2.3, Communication | Authority communication supports external communication requirements |
COBIT 2019 Mapping
| COBIT Domain | COBIT Component | Mapping to A.5.5 |
|---|---|---|
| APO10, Managed Vendors | APO10.04 | Authority engagement supports vendor and third-party risk management |
| APO12, Managed Risk | APO12.01 | Regulatory risk management through authority engagement |
| APO13, Managed Security | APO13.01 | Security management through authority coordination |
| APO14, Managed Data | APO14.04 | Data protection regulatory compliance through authority engagement |
| DSS04, Managed Continuity | DSS04.05 | Regulatory continuity requirements through authority engagement |
| DSS05, Managed Security Services | DSS05.05 | Security service coordination with authorities |
| MEA02, Managed Performance | MEA02.02 | Compliance monitoring and regulatory performance tracking |
CIS Controls v8 Mapping
| CIS Control | Safeguard | Mapping to A.5.5 |
|---|---|---|
| Control 17, Incident Response Management | 17.3 | Authority notification and coordination in incident response |
| Control 18, Penetration Testing | 18.3 | Regulatory compliance and authority coordination for testing |
| Control 1, Inventory and Control of Enterprise Assets | 1.5 | Regulatory asset reporting requirements |
RBI Cybersecurity Framework Mapping
| RBI Requirement | Mapping to A.5.5 |
|---|---|
| Cybersecurity Governance | Engagement with RBI, CERT-Fin, and banking sector bodies |
| Cybersecurity Operations | CERT-Fin reporting, incident coordination, advisory monitoring |
| Compliance | Regulatory reporting, audit coordination, guideline implementation |
| Incident Response | CERT-Fin and peer bank coordination during incidents |
SEBI Cybersecurity Guidelines Mapping
| SEBI Requirement | Mapping to A.5.5 |
|---|---|
| Information Sharing | SEBI coordination and market infrastructure entity engagement |
| Incident Reporting | SEBI reporting requirements and coordination |
| Periodic Reviews | Regulatory audit coordination and compliance demonstration |
| Governance | Board oversight of regulatory engagement and compliance |
DPDP Act 2023 Mapping (Anticipatory)
| DPDP Act Provision | Mapping |
|---|---|
| Section 5, Notice | Inform data principals about processing covered by this control |
| Section 6, Consent | Obtain and manage consent for personal data processing |
| Section 8(1), Data Fiduciary responsibility | Ensure accountability for compliance with this control |
| Section 8(4), Technical and organisational measures | Implement appropriate measures to give effect to this control |
| Section 8(5), Reasonable security safeguards | Protect personal data through the safeguards in this control |
| Section 8(6), Personal data breach intimation | Detect and notify relevant breaches to the Board and affected principals |
| Section 8(7), Erasure | Erase personal data when the purpose is no longer served |
| Section 8(10), Grievance redressal mechanism | Establish an effective grievance redressal mechanism |
| Section 9, Children and persons with disability | Apply enhanced safeguards when processing children's personal data |
| Section 10, Significant Data Fiduciary | Comply with additional SDF obligations (DPO, auditor, DPIA) |
| Section 11, Right to access information | Enable data principals to obtain information about their personal data |
| Section 12, Right to correction and erasure | Enable correction, completion, updating and erasure requests |
| Section 13, Right of grievance redressal | Provide readily available grievance redressal |
| Section 14, Right to nomination | Support nomination of a representative to exercise rights |
| Section 16, Cross-border transfers | Apply safeguards when transferring personal data outside India |
| Section 27, Powers and functions of Board | Cooperate with the Data Protection Board of India |
| Section 33, Penalties | Non-compliance may attract monetary penalties under the Schedule |
Regulatory and Compliance Context
Indian Legal Framework for Authority Engagement
Information Technology Act, 2000 (as amended)
- Section 70B: Establishes CERT-In and empowers it to issue directions, collect information, and coordinate incident response
- Section 69: Government powers to intercept, monitor, or decrypt information (relevant for incident investigation coordination)
- Section 69A: Government powers to block public access to information
- Section 70: Protected system designation and penalties for unauthorized access
- Section 43A: Compensation for failure to protect sensitive personal data (pre-DPDP Act)
- Section 66: Computer-related offenses (hacking, data theft), requires police reporting
CERT-In "Information Security Directions" (2022)
- Mandatory reporting of 20 categories of cybersecurity incidents within 6 hours
- Applies to government organizations, CII entities, intermediary/service providers, and corporate bodies with significant IT infrastructure
- Requires maintenance of ICT logs for 180 days
- Requires synchronization of ICT system clocks
- Designates CERT-In as the central reporting authority
Digital Personal Data Protection Act, 2023
- Establishes the Data Protection Board of India (not yet fully operationalized as of mid-2026)
- Will require data breach notification to the Board and affected data principals
- Mandates appointment of Data Protection Officers for significant data fiduciaries
- Penalties up to s for data breaches (depending on severity and category)
- Authority engagement will be essential for compliance and breach response
NCIIPC Framework
- Established under Section 70A of the IT Act
- Designates and protects Critical Information Infrastructure
- Mandates coordination with CII entities for protection, incident response, and risk management
- Issues sectoral guidelines and advisories
- Conducts exercises and capacity-building programs
Sectoral Regulatory Requirements
| Sector | Regulatory Body | Key Engagement Requirements |
|---|---|---|
| Banking | RBI | Cybersecurity Framework compliance, CERT-Fin reporting, annual cyber drills, incident reporting, UPI security guidelines |
| NBFCs | RBI | Similar to banks with proportionate requirements, NBFC-specific cybersecurity guidelines |
| Securities | SEBI | Cybersecurity Guidelines for MIIs, incident reporting, SEBI cybersecurity audits, market infrastructure protection |
| Insurance | IRDAI | Cybersecurity Guidelines, IT governance requirements, incident reporting, data protection compliance |
| Telecom | DoT / TRAI | Licensing security conditions, network security compliance, lawful interception requirements, consumer protection |
| Healthcare | CDSCO / NABH | Medical device cybersecurity, patient data protection, hospital accreditation cybersecurity requirements |
| Energy | CEA / Ministry of Power | Grid cybersecurity, power system protection, NCIIPC coordination for energy sector |
| Government | NCIIPC / CERT-In / MeitY | Mandatory CERT-In directions, CII protection, national security coordination, procurement security |
| IT/ITeS | MeitY / STPI | STPI registration, export compliance, data localization requirements, CERT-In coordination |
| E-commerce | MeitY / Consumer Affairs | Consumer protection, data protection, intermediary liability, payment security |
| Education | UGC / AICTE / State Boards | Student data protection, online platform security, cybersecurity curriculum requirements |
| Real Estate | RERA / State Authorities | Customer data protection, portal security, transaction record protection |
Law Enforcement and Cybercrime Reporting
National Cybercrime Reporting Portal (cybercrime.gov.in)
- Citizen and organizational reporting of cybercrime
- 1930 helpline for cybercrime reporting
- I4C (Indian Cybercrime Coordination Centre) for national coordination
Police Cybercrime Structure:
- National Level: CBI Cybercrime Division, NIA (for cyberterrorism), I4C
- State Level: State Cybercrime Cells, State Crime Investigation Departments
- District Level: District Cybercrime Cells, Economic Offences Wings
- Local Level: Police Station cybercrime handling, specialized cybercrime police stations in major cities
Reporting Triggers:
- Criminal hacking or unauthorized access
- Data theft with criminal intent
- Financial fraud involving cyber elements
- Ransomware with extortion
- Cyberstalking, harassment, or threats
- Child sexual abuse material (CSAM)
- Cyberterrorism or threats to national security
- Intellectual property theft through cyber means
International Considerations
Organizations with international operations must consider:
- GDPR: Data breach notification to supervisory authorities within 72 hours (for EU data subjects)
- UK Data Protection Act: Similar breach notification requirements
- US State Laws: Varying breach notification requirements (e.g., California CCPA/CPRA)
- APAC Regulations: Singapore PDPA, Australia Privacy Act, Japan APPI
- Cross-Border Coordination: Mutual Legal Assistance Treaties (MLATs) for international cybercrime investigation
- International Law Enforcement: Interpol, Europol, FBI (for US-related matters), NCA (UK)
RACI Matrix
Authority Engagement Activities RACI
| Activity | Board | CISO | Legal | Compliance | Security Manager | IR Lead | PR/Comms |
|---|---|---|---|---|---|---|---|
| Strategy and Policy | |||||||
| Define authority engagement strategy | A | R | C | C | I | I | I |
| Approve authority contact policy | A | R | C | C | I | I | I |
| Approve incident reporting procedures | A | R | C | C | I | I | I |
| Identification and Registration | |||||||
| Identify relevant authorities | I | A | C | R | C | I | I |
| Register with authorities | I | A | C | R | C | I | I |
| Maintain authority contact directory | I | A | I | C | R | C | I |
| Operational Engagement | |||||||
| Monitor authority advisories | I | A | I | C | R | C | I |
| Attend regulatory workshops | I | A | I | C | R | C | I |
| Submit voluntary reports | I | A | R | C | C | I | I |
| Participate in consultations | I | A | R | C | C | I | C |
| Incident Reporting | |||||||
| Determine reporting requirements | C | A | R | C | C | C | I |
| Prepare incident reports | I | A | R | C | R | C | C |
| Submit reports to authorities | I | A | C | R | C | C | I |
| Coordinate during incidents | C | A | R | C | C | R | C |
| Manage evidence for authorities | I | C | A | I | C | R | I |
| Board and Executive Reporting | |||||||
| Report on authority engagement | A | R | C | C | I | I | I |
| Report on regulatory changes | A | R | C | R | I | I | I |
| Report on incident authority coordination | A | R | C | C | R | C | C |
| Review and Improvement | |||||||
| Conduct annual program review | A | R | C | C | I | I | I |
| Update authority inventory | I | A | I | C | R | I | I |
| Test incident reporting workflows | I | A | I | C | R | R | I |
R = Responsible, A = Accountable, C = Consulted, I = Informed
Documentation and Record Keeping
Required Documentation
| Document | Purpose | Retention Period | Owner |
|---|---|---|---|
| Authority Contact Policy | Defines engagement rules and procedures | 7 years | CISO |
| Authority Inventory | Complete list of authorities with jurisdiction | 7 years | Compliance Officer |
| Authority Contact Directory | Contacts, 24/7 methods, escalation paths | 3 years | Security Manager |
| Incident Reporting Procedures | Step-by-step reporting workflows | 7 years | CISO |
| Incident Reports to Authorities | All mandatory and voluntary reports | 7 years | Compliance Officer |
| Authority Correspondence Log | All communications with authorities | 7 years | Compliance Officer |
| Advisory Monitoring Records | Authority advisories received and actions taken | 3 years | Security Manager |
| Regulatory Workshop Attendance | Records of workshops, consultations, exercises | 3 years | Compliance Officer |
| Evidence Preservation Logs | Chain of custody for incident evidence | 7 years | Legal Counsel |
| Liaison Designation Records | Formal designation of authority liaisons | 3 years | CISO |
| Annual Program Review | Annual assessment of engagement effectiveness | 7 years | CISO |
| Regulatory Change Tracking | Log of regulatory changes and organizational responses | 7 years | Compliance Officer |
| Training Records | Staff training on authority engagement | 3 years | HR / Compliance |
| Tabletop Exercise Records | Authority coordination exercise documentation | 7 years | Incident Response Lead |
| CII Coordination Records | NCIIPC engagement and coordination (if applicable) | 7 years | CISO |
Record Keeping Best Practices
- Legal Privilege: Mark and protect documents that may be subject to legal privilege or litigation hold
- Access Control: Restrict access to incident reports, evidence logs, and sensitive correspondence
- Version Control: Maintain version history for all policies and procedures
- Audit Trail: Ensure all authority interactions are logged with timestamps and participants
- Backup: Authority engagement records are critical for compliance and should be backed up with appropriate retention
- Cross-Border Considerations: Organizations with international operations must maintain records for multiple jurisdictions
- RTI Exposure: Be aware that information shared with government may be subject to Right to Information (RTI) requests
- DPDP Act Compliance: Ensure record keeping for personal data breaches aligns with upcoming Data Protection Board requirements
Continuous Improvement
Maturity Model for A.5.5
| Level | Name | Characteristics | Evidence |
|---|---|---|---|
| 1 | Initial | Ad-hoc authority contact; no formal policy; reactive engagement only during incidents; limited awareness of regulatory requirements | Random incident reports, no registration records, ad-hoc communications |
| 2 | Developing | Basic registration with CERT-In; some sector regulator awareness; informal incident reporting; no documented procedures | CERT-In registration, some advisory subscriptions, informal contact records |
| 3 | Defined | Formal authority engagement policy; complete authority inventory; documented reporting procedures; designated liaisons; regular advisory monitoring | Policy document, authority directory, reporting logs, liaison designations, monitoring records |
| 4 | Managed | Proactive engagement with workshops and consultations; tested incident reporting workflows; legal review of all communications; regulatory change tracking; CII coordination if applicable | Workshop records, exercise reports, legal review logs, change tracking, NCIIPC records |
| 5 | Optimizing | Industry leadership in regulatory engagement; participation in standards and policy development; reciprocal intelligence sharing; post-incident authority relationship strengthening; strategic regulatory foresight | Standards contributions, policy inputs, speaking engagements, strategic planning documents, government advisory roles |
Improvement Cycle
Plan:
- Annual authority engagement strategy review
- Regulatory horizon scanning and impact assessment
- Authority relationship health assessment
- Benchmarking against peer organizations and sector leaders
Do:
- Implement new authority registrations and relationships
- Enhance reporting workflows and automation
- Increase proactive engagement and consultation participation
- Upgrade evidence handling and forensic capabilities
- Expand legal counsel cybersecurity expertise
Check:
- Quarterly compliance metric reviews
- Annual regulatory audit preparation and review
- Post-incident authority coordination assessment
- Staff feedback and training effectiveness evaluation
- Peer benchmarking and competitive positioning
Act:
- Update authority inventory based on regulatory changes
- Enhance procedures based on exercise findings and incident lessons
- Invest in tools and capabilities that improve engagement efficiency
- Expand engagement scope based on organizational growth and sector changes
- Report improvement progress to board and executive leadership
Toolkit Download
The following toolkit assets are available for this control:
| Asset | Description | Format |
|---|---|---|
| 01-authority-contact-policy-template.md | Customizable policy for authority engagement | Markdown |
| 02-incident-reporting-procedure-template.md | Step-by-step incident reporting workflow | Markdown |
| 03-authority-inventory-template.xlsx | Template for tracking all relevant authorities | Excel |
| 04-contact-directory-template.xlsx | Authority contact directory with 24/7 methods | Excel |
| 05-liaison-designation-template.md | Formal liaison role designation document | Markdown |
| 06-cert-in-registration-guide.md | Step-by-step guide for CERT-In registration | Markdown |
| 07-nciipc-registration-guide.md | NCIIPC registration and coordination guide (for CII) | Markdown |
| 08-incident-report-templates.md | Report templates for CERT-In, RBI, SEBI, IRDAI | Markdown |
| 09-evidence-preservation-checklist.md | Forensic evidence handling and chain of custody checklist | Markdown |
| 10-regulatory-requirement-tracker.xlsx | Tracker for sector-specific regulatory requirements | Excel |
| 11-tabletop-exercise-scenario.md | Authority coordination tabletop exercise scenario | Markdown |
| 12-dpdp-act-readiness-checklist.md | DPDP Act compliance preparation checklist | Markdown |
| 13-annual-program-review-template.pptx | Annual authority engagement program review template | PowerPoint |
| 14-audit-evidence-checklist.md | Evidence checklist for A.5.5 audit preparation | Markdown |
| 15-compliance-metrics-dashboard.xlsx | Dashboard for tracking compliance and engagement KPIs | Excel |
| 16-legal-review-workflow.md | Legal review workflow for authority communications | Markdown |
| 17-maturity-assessment-questionnaire.md | Self-assessment for authority engagement maturity | Markdown |
| README.md | Index and usage guide for all toolkit assets | Markdown |
Frequently Asked Questions
Q1: Is A.5.5 mandatory for ISO 27001 certification?
A: Yes, all Annex A controls are part of the ISO 27001:2022 standard. However, you can declare a control as "not applicable" with justification. For most organizations, A.5.5 is applicable because virtually every organization has some authority with jurisdiction (CERT-In, police, tax authorities, or sector regulators). Only isolated organizations with no regulatory oversight might justify non-applicability, which is extremely rare in India.
Q2: Do we need to report every security incident to CERT-In?
A: No. Only designated entities (government organizations, CII entities, certain service providers, and corporate bodies with significant IT infrastructure) must report the 20 categories of incidents specified in CERT-In's 2022 directions. For other organizations, reporting is voluntary but encouraged. However, sector-specific requirements (RBI, SEBI) may have their own mandatory reporting categories.
Q3: What is the difference between CERT-In and NCIIPC?
A: CERT-In is the national incident response agency for all cybersecurity matters, open to all organizations. NCIIPC specifically protects Critical Information Infrastructure (CII), designated systems in sectors like energy, banking, telecom, transport, government, and defense. NCIIPC engagement is mandatory only for CII entities. Both may be relevant for CII organizations, which must report to both.
Q4: How do we handle conflicting requirements from different authorities?
A: This is common. For example, a bank may need to report to both CERT-In (within 6 hours) and RBI (with different timelines). The solution is to: (1) document all requirements in a consolidated matrix, (2) prioritize the shortest timeline, (3) use legal counsel to navigate conflicts, (4) communicate proactively with authorities about multi-reporting. In practice, most organizations create a single report that satisfies multiple authorities, with minor customizations.
Q5: Can authority engagement expose us to regulatory penalties?
A: Properly managed engagement reduces penalties by ensuring compliance. However, improper engagement, such as sharing information that reveals non-compliance, or failing to follow legal procedures, can create exposure. The solution is to involve legal counsel in all significant authority interactions, follow documented procedures, and maintain privilege where possible. Remember: authorities already have enforcement power, engagement is about managing that relationship, not avoiding it.
Q6: What if we cannot meet a 6-hour reporting deadline?
A: The 6-hour deadline applies to initial reporting, which can be brief and factual. You don't need a complete investigation report within 6 hours, just notification that an incident has occurred, with basic details. Prepare a template with pre-filled organizational information so you only need to add incident-specific details. If you genuinely miss the deadline, report as soon as possible with an explanation. Repeated failures may attract penalties, but occasional delays with good cause are usually understood.
Q7: Should we engage with state authorities or just national bodies?
A: Both. National bodies (CERT-In, NCIIPC) provide strategic intelligence and coordination. State authorities (state police, state CERTs) provide localized response and may be faster for local incidents. For organizations with multi-state presence, maintain contacts in all relevant states. Some incidents (e.g., local cybercrime) are better handled by state police than national agencies.
Q8: How do we preserve legal privilege while engaging with authorities?
A: Legal privilege is complex in Indian law. Best practices: (1) involve legal counsel from the outset of incident response, (2) mark privileged communications clearly, (3) use separate legal counsel for regulatory compliance vs. litigation defense, (4) understand that privilege may be waived if information is shared too broadly, (5) document privilege claims. Work with Indian legal counsel experienced in cybersecurity and regulatory matters.
Q9: What is the impact of non-compliance with authority engagement requirements?
A: Under the IT Act, failure to comply with CERT-In directions can result in imprisonment up to 1 year and/or fines. RBI can impose monetary penalties, restrict digital operations, or downgrade bank ratings for non-compliance. SEBI can impose penalties, suspend trading licenses, or initiate enforcement. DPDP Act (when fully operationalized) will have penalties up to s. Beyond direct penalties, non-compliance damages reputation, customer trust, and insurance coverage.
Q10: How do we balance authority transparency with business confidentiality?
A: Be transparent about security incidents and compliance status without revealing commercially sensitive information. Share technical indicators and compliance facts, not business strategy or competitive intelligence. Use legal review to ensure that shared information is appropriate. Remember that authorities are primarily interested in security and compliance, not your business model. When in doubt, share less and seek legal advice.
Q11: Can we use third parties (like Singahi) to manage authority engagement?
A: Yes, but with caveats. Third parties can help with preparation, documentation, and advisory, but the organization remains legally responsible for compliance. Authority registration and formal reporting should generally be done in the organization's own name (not the consultant's). Third parties can support incident response coordination, but the organization's liaison should be the primary contact. Think of third-party support as "advisory and preparation," not "outsourced authority relationship."
Q12: How do we prepare for the DPDP Act's data breach notification requirements?
A: Even though the Data Protection Board is not fully operationalized as of mid-2026, prepare now: (1) track DPDP Act rule developments through DSCI and MeitY consultations, (2) implement breach detection and notification workflows, (3) prepare breach notification templates, (4) establish legal review processes for breach notifications, (5) train staff on data breach response, (6) engage with the Data Protection Board (when operational) through formal channels. Early preparation will be a significant competitive advantage.
Q13: What should we do if an authority does not respond to our incident report?
A: First, ensure the report was submitted through the correct channel with acknowledgment. Follow up after 24 hours via alternative channels (phone, email, secondary contact). Document all follow-up attempts. If the incident is severe, escalate through the authority's hierarchy or sector regulator. For critical incidents, consider reaching out through industry associations (e.g., Banking-ISAC for RBI coordination). Maintain professionalism and patience, authorities are often under-resourced.
Q14: How do we handle authority requests for information beyond incident reporting?
A: Authorities may request information for surveys, investigations, or policy development. Evaluate each request: (1) Is there a legal basis for the request? (2) What is the scope and sensitivity? (3) Can we provide the information without exposing confidential data? (4) Should legal counsel review before sharing? (5) Can we negotiate scope or timing? Always respond professionally, but protect organizational interests. If a request is overly broad or inappropriate, seek legal advice before responding.
Q15: How do international organizations handle Indian authority engagement?
A: International organizations operating in India must comply with Indian authority requirements regardless of their global headquarters. Establish a dedicated Indian authority engagement program, register with CERT-In, comply with sector-specific requirements, and maintain local legal counsel. International holding companies should be aware that Indian subsidiaries may need to report incidents that affect parent company systems. Cross-border incident reporting requires coordination between Indian and international authorities (often through MLATs or CERT bilateral agreements).
The following toolkit assets are available for this control:
| # | Toolkit File | Description |
|---|---|---|
| 1 | 01-contact-with-authorities-policy-template.md | Policy Template |
| 2 | 02-contact-with-authorities-procedure.md | Procedure |
| 3 | 03-contact-with-authorities-checklist.md | Checklist |
| 4 | 04-audit-evidence-checklist.md | Audit Evidence Checklist |
| 5 | 05-implementation-roadmap.md | Implementation Roadmap |
| 6 | 06-quick-reference-card.md | Quick Reference Card |
| 7 | 07-training-materials.md | Training Materials |
| 8 | 08-incident-response-playbook.md | Incident Response Playbook |
| 9 | 09-risk-assessment-template.md | Risk Assessment Template |
| 10 | 10-vendor-security-template.md | Vendor Security Template |
| 11 | 11-metrics-and-kpi-dashboard.md | Metrics and KPI Dashboard |
| 12 | 12-gap-analysis-template.md | Gap Analysis Template |
| 13 | 13-raci-matrix.md | RACI Matrix |
| 14 | 14-tool-comparison-matrix.md | Tool Comparison Matrix |
| 15 | 15-communication-plan.md | Communication Plan |
| 16 | 16-roles-and-responsibilities.md | Roles and Responsibilities |
| 17 | 17-regulatory-mapping.md | Regulatory Mapping |
References and Further Reading
Standards and Frameworks
- ISO/IEC 27001:2022, Information Security, Cybersecurity and Privacy Protection, Information Security Management Systems, Requirements
- ISO/IEC 27002:2022, Information Security, Cybersecurity and Privacy Protection, Information Security Controls
- NIST Cybersecurity Framework 2.0 (2024)
- NIST SP 800-61, Computer Security Incident Handling Guide
- NIST SP 800-150, Guide to Cyber Threat Information Sharing
Indian Legal and Regulatory References
- Information Technology Act, 2000 (as amended through 2008)
- CERT-In "Information Security Directions" (2022)
- Digital Personal Data Protection Act, 2023
- RBI Cybersecurity Framework for Banks (2016, updated)
- SEBI Cybersecurity Guidelines for Market Infrastructure Institutions (2019)
- IRDAI Cybersecurity Guidelines for Insurance Companies (2017)
- NCIIPC Guidelines for Protection of Critical Information Infrastructure
- Indian Telegraph Act (for telecom security requirements)
- Companies Act, 2013 (for corporate governance and data protection obligations)
Government Resources
- CERT-In, cert-in.org.in
- NCIIPC, nciipc.gov.in
- National Cybercrime Reporting Portal, cybercrime.gov.in
- MeitY, meity.gov.in
- RBI, rbi.org.in
- SEBI, sebi.gov.in
- IRDAI, irdai.gov.in
- TRAI, trai.gov.in
- CDSCO, cdsco.gov.in
- CEA, cea.nic.in
- DoT, dot.gov.in
- MHA, mha.gov.in
- BIS, bis.gov.in
Industry and Academic Sources
- DSCI, Data Security Council of India, dsci.in
- IDRBT, Institute for Development and Research in Banking Technology
- C-DAC, Centre for Development of Advanced Computing
- NASSCOM, nasscom.in
- CII, cii.in
- FICCI, ficci.in
- ASSOCHAM, assocham.org
- ISACA India, isaca.org
International References
- FIRST, Forum of Incident Response and Security Teams, www.first.org
- Interpol Cybercrime, www.interpol.int
- Europol EC3, www.europol.europa.eu
- ENISA, European Union Agency for Cybersecurity, www.enisa.europa.eu
- AP-CERT, Asia Pacific CERT Community
Document Control
- Version: 1.0
- Author: Singahi, ISO 27001 Implementation Experts
- Review Cycle: Quarterly (for regulatory changes) + Annual (complete)
- Next Review: September 2026 (quarterly) / June 2027 (annual)
- Classification: TLP:CLEAR, Public Information