ISO 27001:2022 Annex A Control 5.29

Explaining Annex A Control 5.29 Information security during disruption

Control 5.29 of ISO 27001, "Information Security During Disruption," emphasizes the need for your organization to maintain appropriate levels of information security during disruptions. Whether facing technical failures, natural disasters, or other operational interruptions, this control ensures the protection of information and related assets, maintaining confidentiality, integrity, and availability.

Annex A Control 5.29

Control Type

  • Preventive
  • Corrective

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect
  • Respond

Operational Capabilities

  • Continuity

Security Domains

  • Protection
  • Resilience

Objective of Control 5.29

The main objective of this control is to safeguard critical information assets during disruptions. It ensures that your organization integrates information security requirements into business continuity processes, allowing you to respond effectively to unexpected events while minimizing risks to your operations and reputation.

Purpose of Control 5.29

Control 5.29 exists to ensure that security measures remain effective even when your organization experiences a significant disruption. Specifically, it aims to:

  • Prevent data breaches or security lapses caused by unexpected failures.
  • Ensure resilience by integrating security into disaster recovery and business continuity planning.
  • Minimize downtime and financial loss due to operational disruptions.
  • Maintain regulatory and contractual compliance by ensuring security obligations are met.

Implementing Control 5.29: Key Steps

1. Integrating Information Security into Business Continuity Management

A critical aspect of this control is embedding information security requirements into Business Continuity and ICT Continuity Plans. To achieve this, your organization should:

  • Define and prioritize security needs for essential business processes.
  • Map critical assets and dependencies (e.g., cloud services, databases, internal systems).
  • Identify security risks specific to operational disruptions.
  • Incorporate risk mitigation and compensating security controls into continuity planning.

2. Developing and Maintaining Business Continuity Plans (BCP)

To comply with Control 5.29, your organization must:

  • Develop a structured Business Continuity Plan (BCP) that includes information security controls.
  • Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical data.
  • Establish secure fallback environments (e.g., secondary data centers, backup cloud services).
  • Ensure access control mechanisms remain functional even during disruptions.
  • Implement communication protocols for security incident management.

3. Adapting Information Security Controls During Disruptions

Your organization should identify and document:

  • Processes for maintaining existing security controls (e.g., firewalls, authentication systems).
  • Alternative or compensating controls when primary measures are unavailable.
  • Security exceptions management to track and mitigate security gaps.

Example: If a multi-factor authentication (MFA) service is temporarily unavailable during a disruption, your organization must have a secure alternative (e.g., temporary passcodes via internal mechanisms) to maintain authentication security.

4. Ensuring Timely Restoration of Security Controls

Restoration should be based on:

  • Business impact analysis (BIA) results that define priority assets and dependencies.
  • Risk assessment data that determines which security gaps require urgent resolution.
  • Predefined security recovery procedures for handling breached, missing, or corrupted data.

Relevant Controls for Complementary Implementation

Control 5.29 is closely related to several other ISO 27001 controls, including:

  • Control 5.30ICT Readiness for Business Continuity
    Ensures IT systems can support business continuity requirements.
    Covers redundancy planning, failover mechanisms, and disaster recovery solutions.

  • Control 5.25Business Continuity Planning
    Defines the broader scope of business continuity preparedness.
    Ensures critical business operations continue despite cyber threats or other disruptions.

  • Control 5.1Information Security Policies
    Establishes foundational security policies that integrate continuity and recovery planning.
    Ensures that employees, vendors, and stakeholders follow standardized security protocols during disruptions.

  • ISO 22301 & ISO/TS 22317
    ISO 22301 (Business Continuity Management System – BCMS) provides a framework for business continuity planning.
    ISO/TS 22317 offers guidelines for conducting Business Impact Analyses (BIA), which help determine security priorities during disruptions.

Templates to Assist with Control 5.29

Your organization can streamline compliance and enhance information security preparedness with the following templates available on our website:

Business Continuity Policy Template
Defines roles, responsibilities, and security controls for maintaining operations during disruptions.

Business Continuity Plan (BCP) Template
Provides a step-by-step framework for developing security-integrated business continuity strategies.

Risk Assessment Template
Helps organizations identify vulnerabilities and assess potential security risks during disruptions.

Incident Response Plan Template
Establishes structured response procedures to minimize security threats during unexpected failures.

Best Practices for Control 5.29 Implementation

To maximize the effectiveness of Control 5.29, consider these best practices:

Conduct Regular Business Impact Analyses (BIA)
Evaluate critical business processes, security dependencies, and recovery priorities.
Ensure BIA findings align with cybersecurity risk management frameworks.

Implement Adaptive Security Measures
Use dynamic security controls that can be modified based on the type and severity of disruptions.

Ensure Employee Awareness & Training
Train employees on security protocols, incident response, and business continuity measures.

Conduct Routine Testing & Simulations
Test security continuity plans using real-world disruption scenarios (e.g., cyberattacks, power failures).
Perform tabletop exercises and penetration testing to validate control effectiveness.

Control 5.28
ISO 27001 overview
Control 5.30