What is the core focus of Annex A 5.29?

The core focus is maintaining information security during a business disruption. Organisations must ensure controls remain effective when primary systems fail. This requires documented procedures integrated into internal tools. Auditors look for evidence of security preservation, not just system recovery.

How does 5.29 differ from standard business continuity?

Standard continuity focuses on availability and uptime. Annex A 5.29 specifically addresses the confidentiality and integrity of data during these periods. It ensures that 'emergency' modes do not bypass essential security gates. Evidence should reside in internal document management systems.

What evidence proves compliance for 5.29?

Evidence includes tested recovery plans and meeting minutes from business impact analyses. Auditors require proof of human oversight during simulations. SharePoint version histories of recovery playbooks provide excellent audit trails. Automated dashboard ticks are insufficient without these internal records.

ISO 27001:2022 Annex A 5.29 Guide

What is ISO 27001 Annex A 5.29 Information Security During Disruption?

ISO 27001 Annex A 5.29 is a control requiring the preservation of security during business interruptions. It mandates documented processes to maintain data confidentiality, integrity, and availability. Organisations must embed these procedures within internal tools like SharePoint and Jira. This ensures security remains a priority during crisis management.

Auditor’s Eye: The Shortcut Trap

Many firms rely on automated SaaS compliance platforms to manage continuity “readiness.” These tools often present a misleading green light based on simple document uploads. Auditors prefer seeing active procedures within your native document repositories. We look for evidence of internal ownership through SharePoint version history and Jira task assignments. If your security during disruption relies on a “Black Box” platform, your management system is decoupled. This often results in a non-conformity when staff cannot execute plans without the platform’s guidance.

2013 Control Reference	2022 Control Reference	Key Changes and Requirements
A.17.1.1, A.17.1.2, A.17.1.3	5.29 Information security during disruption	Merged three 2013 controls into one. Focuses on the continuity of security controls themselves during a crisis.

How to Implement ISO 27001 Annex A 5.29 (Step-by-Step)

Implementation requires integrating security requirements into your existing business continuity plans. Start by defining the minimum security baseline needed when normal operations fail. Frame this as a cultural shift within your technical teams. Use internal wikis to make these playbooks accessible to everyone.

Conduct a BIA: Use SharePoint to document your Business Impact Analysis. Identify which security controls are critical.
Draft Playbooks: Create step-by-step recovery playbooks in Confluence. Focus on manual steps that IT staff must take.
Setup Emergency Workflows: Configure Jira for “Emergency Change” tickets. This ensures oversight even during rapid recovery.
Run Desktop Exercises: Test your plans annually. Record the output and attendance in internal meeting minutes.
Review and Improve: Use SharePoint versioning to update plans after every test. This proves continuous improvement to auditors.

ISO 27001 Annex A 5.29 Audit Evidence Checklist

Internal BIA reports identifying critical information assets and recovery targets.
Continuity plans stored in SharePoint with evidence of management approval.
Jira logs showing historical emergency access requests and approvals.
Minutes from disaster recovery rehearsals documenting successes and failures.
Staff training logs for those assigned specific roles during a disruption.

Relational Mapping

Clause 8.1: Operational planning and control.
Annex A 5.30: ICT readiness for business continuity.
Annex A 8.13: Information backup.

Auditor Interview

Auditor: How do you ensure security is not bypassed during a system failure?

Manager: Our emergency playbooks in Confluence include mandatory security checkpoints. These are verified during our annual testing.

Auditor: Can you show me the results of your last continuity test?

Manager: Certainly. Here are the meeting minutes and the updated SharePoint documents following our 2025 rehearsal.

Common Non-Conformities

Failure Type	Auditor Observation	Remediation
Automated Complacency	Management relies on a SaaS dashboard tick. No internal procedural knowledge exists.	Relocate playbooks to internal SharePoint. Conduct staff drills using these documents.
Outdated Plans	Continuity plans have not been reviewed in two years.	Implement a formal review cycle using SharePoint document reminders.
Untested Controls	Organisation has recovery plans but no record of testing them.	Schedule a desktop exercise. Document the outcome in internal minutes.

Frequently Asked Questions

What is the main requirement of ISO 27001 Annex A 5.29?

The main requirement is that security controls must remain operational during a disruption. You must plan for how to keep data safe when usual systems are down. This involves documenting specific procedures in your internal document management system. Auditors want to see that you have considered security, not just availability.

How does 5.29 relate to disaster recovery (DR)?

Disaster recovery is the technical execution of restoring systems. Annex A 5.29 is the governance layer that ensures security is maintained during DR. For example, if you move to a backup site, the access controls must still work. Documentation for this should be stored in your internal Confluence or SharePoint.

Can we use a SaaS tool for business continuity management?

You can use tools for tracking, but the knowledge must reside internally. Relying on a third-party platform’s “readiness” score is a common audit failure. Auditors prefer to see that your team can function using native tools like SharePoint or Jira. This demonstrates true resilience and internal ownership of the process.

LA CASA DE CERTIFICACIÓN