Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“The organization shall plan how to maintain information security at an appropriate level during disruption.”
Plain-language meaning
The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.
Why this matters
Disruption is exactly when people bypass normal controls, use emergency access, move data quickly, depend on suppliers, or restore services under pressure. If security drops too far, a continuity event can become a security incident.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
- Define information security continuity objectives for crisis and recovery situations.
- Include information security requirements in business continuity, crisis management, disaster recovery, and business impact analysis activities.
- Identify minimum acceptable controls during disruption, including access control, logging, backup protection, communications security, supplier security, data handling, and emergency changes.
- Assign responsibilities between information security, business continuity, disaster recovery, IT, suppliers, management, legal, and communications roles.
- Verify that suppliers business continuity arrangements maintain security at a level that meets organizational requirements.
- Test or exercise continuity plans with information security responsibilities included, not only operational recovery tasks.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that continuity plans include explicit information security objectives, risk assessment, management approval, assigned responsibilities, documented procedures, awareness, and testing evidence.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Documented information security continuity objectives | Supports design, implementation, operation, or review |
| Business impact analysis includes security requirements, not only recovery timing. | Supports design, implementation, operation, or review |
| Continuity and disaster recovery plans include access control, communications, supplier, data protection, and emergency change controls. | Supports design, implementation, operation, or review |
| Security and continuity specialists both contributed to plan design or review. | Supports design, implementation, operation, or review |
| Continuity exercises include information security scenarios and responsibilities. | Supports design, implementation, operation, or review |
Strong evidence
- Documented information security continuity objectives are approved by management.
- Business impact analysis includes security requirements, not only recovery timing.
- Continuity and disaster recovery plans include access control, communications, supplier, data protection, and emergency change controls.
- Security and continuity specialists both contributed to plan design or review.
- Continuity exercises include information security scenarios and responsibilities.
- Supplier continuity arrangements are reviewed for security adequacy.
Weak evidence
- Continuity plan focuses only on restoring operations.
- Security is assumed to continue but not specified.
- Emergency access is allowed without approval, logging, or review.
- Supplier continuity plans are accepted without checking security requirements.
- Staff with crisis roles cannot explain security responsibilities.
- Continuity testing ignores security decisions.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Business continuity plans restore service but weaken access control | Recovered services may expose sensitive data or allow unauthorized activity |
| Emergency workarounds are undocumented | Temporary exceptions become permanent hidden risks |
| Security team is not involved in continuity planning | Security requirements are missed during crisis design |
| Supplier continuity arrangements are not reviewed | Third-party disruption can create security exposure |
| Plans are untested | People do not know how to preserve security under pressure |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- A.5.29 is about maintaining appropriate security during disruption, not just restoring availability.
- Business continuity and disaster recovery plans should include information security requirements.
- A crisis can create both continuity and security incidents if controls are bypassed.
- Supplier continuity arrangements should meet the organization security requirements.
- Testing matters because complex plans rarely work perfectly the first time.
Related controls and concepts
- A.5.24 Information Security Incident Management Planning and Preparation
- A.5.30 ICT Readiness for Business Continuity
- Risk Assessment
- Management Review
- Internal Audit
- Supplier Security Register
- Cloud Security Requirements and Exit Checklist
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.29 requires the organization to make continuity practical for information security. The key test is whether disruption plans, ICT recovery, suppliers, roles, tests, and improvement actions preserve the right level of security while restoring priority services.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Continuity
- Audit
- Business continuity
- Disruption
- Security continuity
Note Metadata
Aliases: A.5.29, Information Security During Disruption
Source: 02 Annex A Organizational Controls/A.5.29 Information Security During Disruption.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
9
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Internal Audit
- Management Review
- Risk Assessment
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- A.5 Organizational Controls MOC
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- A.5.29 Audit Evidence Pack
- AQ-ISO27001-A.5.29 Information Security During Disruption
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.14 - Redundancy of Information Processing Facilities
- ISO 27001 A.8.6 - Capacity Management
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.29 Information Security During Disruption
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-012 - Continuity Security and ICT Readiness
- ISO 27002 Annex A Control Interpretation Map
- A.5.29 Audit Checklist
- Backup Policy and Schedule
- Cloud Security Requirements and Exit Checklist
- ICT Continuity Requirements and Test Record
- Information Security Continuity Requirements
- Physical and Environmental Threat Assessment
- Supplier Security Register
- Annex A Controls MOC