UnixTime

Research Note

EXAM-012 - Continuity Security and ICT Readiness

A.5.29 and A.5.30 are related but not interchangeable. One protects security during disruption; the other ensures ICT availability and recovery capability.

On this page

Exam focus

A.5.29 asks whether security remains appropriate during disruption. A.5.30 asks whether ICT can recover against business continuity objectives.

Topic Summary

A.5.29 and A.5.30 are related but not interchangeable. One protects security during disruption; the other ensures ICT availability and recovery capability.

Key Concepts

Control Exam cue
A.5.29 Security requirements must be built into crisis, continuity, and recovery planning
A.5.30 ICT continuity must be planned, implemented, maintained, and tested

Common Exam Traps

  • Treating continuity as availability only.
  • Treating backups as sufficient ICT readiness.
  • Ignoring supplier continuity arrangements.
  • Defining RTO/RPO values without business input.
  • Restoring services without preserving confidentiality, integrity, access control, logging, and evidence.