This rule is about ensuring that information security is maintained during a disruption, outage or business continuity event.
Table of contents
What is ISO 27001 Annex A 5.29?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Security During Disruption”.
What is the ISO 27001 Annex A 5.29 control objective?
The formal definition and control objective in the standard is: “The organisation should plan how to maintain information security at an appropriate level during disruption.“
What is the purpose of ISO 27001 Annex A 5.29?
The purpose of ISO 27001 Annex A 5.29 is “To protect information and other associated assets during disruption.“
Is ISO 27001 Annex A 5.29 Mandatory?
ISO 27001 Annex A control 5.29 (Information Security During Disruption in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.29 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
The simplest way to implement Annex A 5.29 is to make sure your security plans match your recovery plans.
You should use the same level of information security in these documents:
- Your business continuity plans (how you keep working).
- Your disaster recovery plans (how you restore service).
- Your disruption operations (how you manage during the event).
If you make your security levels different across these plans, your setup will get much more complicated. This complexity may lead to more difficult questions when the auditor checks your work. You may still need other steps, and you should take them, but keeping the security level consistent is best.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Your Plans are Written Down
You must show that you have written down your business continuity and disaster recovery plans. The auditor will check this paperwork. They will look to see that you have signed and dated the documents. Most importantly, the plans must show what you actually do, not just what you think the auditor wants to hear.
2. You Can Prove the Process Works
The auditor will ask you to prove how you manage security when something goes wrong. They will ask for at least one real example of a problem. For this example, you will walk the auditor through the steps you took. You must prove that you followed your plan and that the process helped you recover.
3. You Learn from Mistakes
The auditor checks that you record what you learned from past problems. You must show how you used those lessons to make your systems better. This includes updating your plans or taking steps to fix recurring issues.
