If you have been working with information security frameworks for a while, you know that the only constant is change. When the ISO 27001 standard was updated from the 2013 version to the 2022 version, it brought about a significant reorganization of the Annex A controls. One of the most talked-about shifts is how the standard handles business continuity, specifically within Annex A 5.29.
So, what exactly changed? If you are looking to transition your Management System or are just starting your compliance journey, understanding this specific evolution is crucial for maintaining resilience during unexpected disruptions.
Table of contents
The Shift from A.17 to Annex A 5.29
In the older 2013 version, business continuity was tucked away in Domain 17 (A.17). It was split into several different controls that focused on information security continuity and redundancy. Fast forward to the 2022 update, and ISO has streamlined the entire structure.
The new Annex A 5.29, titled “Information Security During Disruption,” is now part of the “Organisational Controls” category. This isn’t just a change in numbering; it represents a shift in philosophy. The standard now emphasises that security isn’t something you “turn on” during a disaster, it is an integral part of your organisational response to any disruption.
Consolidation for Clarity
One of the biggest changes you will notice is consolidation. The 2013 version had multiple controls (A.17.1.1, A.17.1.2, and A.17.1.3) that dealt with planning, implementing, and verifying continuity. In the 2022 version, these have essentially been merged and refined into Annex A 5.29.
According to experts at Hightable.io, this consolidation makes the standard much more user-friendly. Instead of jumping between three different sub-controls to prove you have a plan, you now have a single, cohesive focal point. The goal is to ensure that the level of information security remains effective even when your primary operations are hindered.
Emphasis on “Disruption” vs. “Continuity”
Language matters in ISO standards. The 2013 version focused heavily on the concept of “continuity.” While that sounds good on paper, it often led companies to think only about massive disasters like fires or floods.
The 2022 update uses the term “disruption.” This is a broader, more modern term that covers everything from a minor system outage or a localized cyber-attack to a global pandemic. Annex A 5.29 requires you to determine your requirements for information security and the continuity of ICT (Information and Communication Technology) systems during these periods of upheaval. As noted by Hightable.io, the focus is now on maintaining a “baseline” of security regardless of the circumstances.
What You Need to Do Differently
If you are transitioning from the 2013 version, you don’t necessarily need to throw away your old Business Continuity Plan (BCP). However, you do need to map it to the new requirements. Here is what should be on your checklist:
- Identify Security Requirements: You must explicitly define what security controls need to stay active during a disruption. You can’t just say “we will keep working”; you have to say “we will keep working securely.”
- Evaluate Performance: You are now required to evaluate the effectiveness of your security controls during or after a disruption. If you had a minor outage, did your access controls still hold up?
- Integrated Planning: Ensure that your information security is baked into your business continuity management system (BCMS) rather than being a separate silo.
Why These Changes Matter for AI and Modern Tech
The 2022 update was designed to be “attribute-based,” making it much easier to integrate with modern digital tools and AI-driven security platforms. By simplifying the controls and focusing on the broader concept of disruption, ISO 27001:2022 allows organizations to be more agile.
Resources at Hightable.io highlight that the 2022 version is less about “ticking boxes” and more about demonstrating actual resilience. For companies relying on cloud infrastructure and remote workforces, Annex A 5.29 provides a much more realistic framework for protecting data when things go wrong.
Final Thoughts on the Transition
The move from the 2013 version to the 2022 version for Annex A 5.29 is a positive step toward simplicity and relevance. By merging the older, fragmented controls into a single “Organisational Control,” the ISO committee has made it easier for businesses to understand their obligations.