What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that information security is maintained at an appropriate level during disruption and that continuity plans include security objectives, roles, requirements, supplier considerations, and testing.
Evidence to request
| Evidence | Purpose |
|---|---|
| Information security continuity objectives | Shows the control can be verified |
| Business continuity or crisis plan | Shows the control can be verified |
| Business impact analysis with security requirements | Shows the control can be verified |
| Continuity risk assessment | Shows the control can be verified |
| Continuity exercise records | Shows the control can be verified |
| Supplier continuity/security review records | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Documented information security continuity objectives are approved by management.
- Business impact analysis includes security requirements, not only recovery timing.
- Continuity and disaster recovery plans include access control, communications, supplier, data protection, and emergency change controls.
- Security and continuity specialists both contributed to plan design or review.
- Continuity exercises include information security scenarios and responsibilities.
- Supplier continuity arrangements are reviewed for security adequacy.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Continuity plan focuses only on restoring operations.
- Security is assumed to continue but not specified.
- Emergency access is allowed without approval, logging, or review.
- Supplier continuity plans are accepted without checking security requirements.
- Staff with crisis roles cannot explain security responsibilities.
- Continuity testing ignores security decisions.
Sample interview questions
- What security objectives apply during disruption?
- Where are security requirements captured in business continuity planning?
- Who owns security decisions during crisis response?
- How are supplier continuity arrangements checked for security adequacy?
- Show a continuity test where information security responsibilities were exercised.
Common nonconformities
- Business continuity plans restore service but weaken access control
- Emergency workarounds are undocumented
- Security team is not involved in continuity planning
- Supplier continuity arrangements are not reviewed
- Plans are untested
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 29
Note Metadata
Aliases: A.5.29 Evidence
Source: 04 Audit Evidence Packs/A.5.29 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.29 - Information Security During Disruption
- Audit Evidence MOC
- AQ-ISO27001-A.5.29 Information Security During Disruption
- A.5 Organizational Controls Audit Guide
- ISO27001-A.5.29 Information Security During Disruption
- A.5.29 Audit Checklist
- Information Security Continuity Requirements
- Audit Evidence Index