UnixTime

Research Note

ISO 27001 A.5.29 - Information Security During Disruption

The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“The organization shall plan how to maintain information security at an appropriate level during disruption.”

Plain-language meaning

The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.

Why this matters

Disruption is exactly when people bypass normal controls, use emergency access, move data quickly, depend on suppliers, or restore services under pressure. If security drops too far, a continuity event can become a security incident.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

  1. Define information security continuity objectives for crisis and recovery situations.
  2. Include information security requirements in business continuity, crisis management, disaster recovery, and business impact analysis activities.
  3. Identify minimum acceptable controls during disruption, including access control, logging, backup protection, communications security, supplier security, data handling, and emergency changes.
  4. Assign responsibilities between information security, business continuity, disaster recovery, IT, suppliers, management, legal, and communications roles.
  5. Verify that suppliers business continuity arrangements maintain security at a level that meets organizational requirements.
  6. Test or exercise continuity plans with information security responsibilities included, not only operational recovery tasks.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that continuity plans include explicit information security objectives, risk assessment, management approval, assigned responsibilities, documented procedures, awareness, and testing evidence.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Documented information security continuity objectives Supports design, implementation, operation, or review
Business impact analysis includes security requirements, not only recovery timing. Supports design, implementation, operation, or review
Continuity and disaster recovery plans include access control, communications, supplier, data protection, and emergency change controls. Supports design, implementation, operation, or review
Security and continuity specialists both contributed to plan design or review. Supports design, implementation, operation, or review
Continuity exercises include information security scenarios and responsibilities. Supports design, implementation, operation, or review

Strong evidence

  • Documented information security continuity objectives are approved by management.
  • Business impact analysis includes security requirements, not only recovery timing.
  • Continuity and disaster recovery plans include access control, communications, supplier, data protection, and emergency change controls.
  • Security and continuity specialists both contributed to plan design or review.
  • Continuity exercises include information security scenarios and responsibilities.
  • Supplier continuity arrangements are reviewed for security adequacy.

Weak evidence

  • Continuity plan focuses only on restoring operations.
  • Security is assumed to continue but not specified.
  • Emergency access is allowed without approval, logging, or review.
  • Supplier continuity plans are accepted without checking security requirements.
  • Staff with crisis roles cannot explain security responsibilities.
  • Continuity testing ignores security decisions.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Business continuity plans restore service but weaken access control Recovered services may expose sensitive data or allow unauthorized activity
Emergency workarounds are undocumented Temporary exceptions become permanent hidden risks
Security team is not involved in continuity planning Security requirements are missed during crisis design
Supplier continuity arrangements are not reviewed Third-party disruption can create security exposure
Plans are untested People do not know how to preserve security under pressure

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • A.5.29 is about maintaining appropriate security during disruption, not just restoring availability.
  • Business continuity and disaster recovery plans should include information security requirements.
  • A crisis can create both continuity and security incidents if controls are bypassed.
  • Supplier continuity arrangements should meet the organization security requirements.
  • Testing matters because complex plans rarely work perfectly the first time.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.29 requires the organization to make continuity practical for information security. The key test is whether disruption plans, ICT recovery, suppliers, roles, tests, and improvement actions preserve the right level of security while restoring priority services.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Continuity
  • Audit
  • Business continuity
  • Disruption
  • Security continuity

Note Metadata

Aliases: A.5.29, Information Security During Disruption

Source: 02 Annex A Organizational Controls/A.5.29 Information Security During Disruption.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

9

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.