top of page
Writer's pictureAlan Parker

ISO 27001 Control 5.29: Information Security During Disruption

Maintaining Information Security During Disruptions

Organisations face a myriad of challenges that can disrupt operations, ranging from cyberattacks to natural disasters. Ensuring the security of information during such disruptions is critical to safeguarding business continuity and maintaining stakeholder trust. This article outlines the importance of planning for information security during disruptions and offers actionable guidance for organisations.


Purpose of Information Security During Disruptions

The primary objective of maintaining information security during disruptions is to:

  • Protect information and associated assets even when normal operations are interrupted.

  • Ensure that security controls remain effective or are adapted to the disruption.

  • Support the timely restoration of security and business operations to minimise impact.


Key Considerations for Information Security During Disruptions

1. Integrating Information Security into Business Continuity Plans

Information security requirements should be an integral part of the organisation’s business continuity and ICT continuity management processes. This includes:

  • Conducting a business impact analysis (BIA) to identify critical processes and the information security measures needed to support them.

  • Prioritising the confidentiality, integrity, and availability of information assets during disruptions.

  • Aligning information security goals with the organisation’s broader continuity objectives.


2. Developing and Implementing Plans

Organisations should develop detailed plans to ensure information security during disruptions. These plans should:

  • Include specific controls and tools to support business and ICT continuity.

  • Define compensating controls for situations where standard security measures cannot be maintained.

  • Address the restoration of information security to required levels within defined timeframes.


3. Testing and Reviewing Plans

Plans should not remain static. Regular testing, reviews, and updates are essential to ensure their effectiveness. This includes:

  • Conducting simulation exercises to identify gaps and areas for improvement.

  • Evaluating the performance of security controls during mock disruptions.

  • Incorporating lessons learned from actual incidents and tests into the plans.


Practical Steps for Maintaining Information Security


a) Implement Supporting Controls

Ensure that necessary security controls, systems, and tools are in place to support continuity plans. Examples include:

  • Backup systems to ensure data availability.

  • Redundant networks to maintain connectivity.

  • Incident response tools to manage and mitigate disruptions.


b) Establish Compensating Controls

When standard controls cannot be applied, compensating controls should be implemented to provide temporary protection. For example:

  • Encrypting sensitive data when physical security measures are compromised.

  • Restricting access to critical systems to a minimum number of authorised personnel.


c) Maintain Processes for Security During Disruption

Develop clear processes to ensure existing controls remain functional and effective. This includes:

  • Continuous monitoring of critical systems and networks.

  • Timely updates to access controls based on operational needs.

  • Clear communication protocols for all stakeholders.


Additional Insights


Adapting Security Requirements

Depending on the type and severity of a disruption, information security requirements may need to be adjusted. For example:

  • A cyberattack may require enhanced monitoring and incident response.

  • A natural disaster could necessitate reliance on offsite backups or cloud-based systems.


Leveraging Established Standards

Organisations can refer to internationally recognised standards to guide their continuity planning:

  • ISO 22301 and ISO 22313: Guidelines on business continuity management systems.

  • ISO/TS 22317: Recommendations for conducting a business impact analysis (BIA).


Conclusion

Maintaining information security during disruptions is essential for protecting organisational assets and ensuring resilience. By integrating security measures into business continuity plans, implementing robust controls, and regularly testing their effectiveness, organisations can navigate disruptions while safeguarding their critical information. Proactive planning and adherence to best practices enable organisations to maintain trust, minimise risk, and recover swiftly from unexpected challenges.

Comments

1/26
image.png

Play Crossy Chicken

Never miss another article.

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page