ISO 27001 Control 5.29: Information Security During Disruption

Learn how ISO 27001 Control 5.29: Information Security During Disruption should be implemented with my guide

Maintaining Information Security During Disruptions

ISO 27001 Control 5.29: Information Security During Disruption

Organisations face a myriad of challenges that can disrupt operations, ranging from cyberattacks to natural disasters. Ensuring the security of information during such disruptions is critical to safeguarding business continuity and maintaining stakeholder trust.

This article outlines the importance of ISO 27001 control 5.29 and planning for information security during disruptions and offers actionable guidance for organisations.

Return to Organisational Controls Overview
Get the ISO 27002 Official Guidance on Controls

Purpose of Information Security During Disruptions

The primary objective of maintaining information security during disruptions is to:

  • Protect information and associated assets even when normal operations are interrupted.
  • Ensure that security controls remain effective or are adapted to the disruption.
  • Support the timely restoration of security and business operations to minimise impact.

Key Considerations for Information Security During Disruptions

1. Integrating Information Security into Business Continuity Plans

Information security requirements should be an integral part of the organisation’s business continuity and ICT continuity management processes. This includes:

  • Conducting a business impact analysis (BIA) to identify critical processes and the information security measures needed to support them.
  • Prioritising the confidentiality, integrity, and availability of information assets during disruptions.
  • Aligning information security goals with the organisation’s broader continuity objectives.

2. Developing and Implementing Plans

Organisations should develop detailed plans to ensure information security during disruptions. These plans should:

  • Include specific controls and tools to support business and ICT continuity.
  • Define compensating controls for situations where standard security measures cannot be maintained.
  • Address the restoration of information security to required levels within defined timeframes.

3. Testing and Reviewing Plans

Plans should not remain static. Regular testing, reviews, and updates are essential to ensure their effectiveness. This includes:

  • Conducting simulation exercises to identify gaps and areas for improvement.
  • Evaluating the performance of security controls during mock disruptions.
  • Incorporating lessons learned from actual incidents and tests into the plans.

Practical Steps for Maintaining Information Security

a) Implement Supporting Controls

Ensure that necessary security controls, systems, and tools are in place to support continuity plans. Examples include:

  • Backup systems to ensure data availability.
  • Redundant networks to maintain connectivity.
  • Incident response tools to manage and mitigate disruptions.

b) Establish Compensating Controls

When standard controls cannot be applied, compensating controls should be implemented to provide temporary protection. For example:

  • Encrypting sensitive data when physical security measures are compromised.
  • Restricting access to critical systems to a minimum number of authorised personnel.

c) Maintain Processes for Security During Disruption

Develop clear processes to ensure existing controls remain functional and effective. This includes:

  • Continuous monitoring of critical systems and networks.
  • Timely updates to access controls based on operational needs.
  • Clear communication protocols for all stakeholders.

Additional Insights

Adapting Security Requirements

Depending on the type and severity of a disruption, information security requirements may need to be adjusted. For example:

  • A cyberattack may require enhanced monitoring and incident response.
  • A natural disaster could necessitate reliance on offsite backups or cloud-based systems.

Leveraging Established Standards

Organisations can refer to internationally recognised standards to guide their continuity planning:

  • ISO 22301 and ISO 22313: Guidelines on business continuity management systems.
  • ISO/TS 22317: Recommendations for conducting a business impact analysis (BIA).

FAQs

What is the objective of Control 5.29: Information Security During Disruption?

This control ensures that information security is maintained during adverse events—such as cyber-attacks, natural disasters, system failures, or other business disruptions. The aim is to preserve confidentiality, integrity, and availability of information, even under abnormal or degraded conditions.

How is this control different from general business continuity planning?

While business continuity planning ensures operations can continue or recover, Control 5.29 specifically focuses on protecting information assets during disruptions. It ensures security controls (e.g. access restrictions, monitoring, encryption) continue to function—or are adapted appropriately—during a crisis or continuity scenario.

What should be included in a disruption response plan to meet this control?

A disruption response plan should:
– Define security roles and responsibilities during incidents
– Ensure secure access to backup and recovery environments
– Include procedures for handling sensitive data in manual or fallback processes
– Address how to maintain security if primary systems are unavailable
– Be tested under realistic scenarios that reflect information security risks

What are examples of security risks that can increase during disruption?

Disruptions often reduce oversight and control, increasing risks such as:
Bypassing of security controls under pressure
Unencrypted fallback systems or emergency communications
Unauthorised access during chaotic periods
– Insider threats or social engineering during recovery efforts

Who is responsible for maintaining security during a disruption?

Responsibility should be clearly assigned within the incident or continuity response structure—typically involving the incident response team, IT security staff, system owners, and continuity leads. Coordination is key to ensure that security decisions are made quickly but do not compromise core protection principles.

Conclusion

Maintaining information security during disruptions is essential for protecting organisational assets and ensuring resilience. By integrating security measures into business continuity plans, implementing robust controls, and regularly testing their effectiveness, organisations can navigate disruptions while safeguarding their critical information. Proactive planning and adherence to best practices enable organisations to maintain trust, minimise risk, and recover swiftly from unexpected challenges.

Previous post

ISO 27001 Control 5.28: Collection of Evidence

NEXT post

ISO 27001 Control 5.30: ICT Readiness for Business Continuity

Photo of author

Written by

Alan Parker

Alan Parker is an experienced IT governance consultant who’s spent over 30 years helping SMEs and IT teams simplify complex IT challenges. With an Honours Degree in Information Systems, ITIL v3 Expert certification, ITIL v4 Bridge, and PRINCE2 Practitioner accreditation, Alan’s expertise covers project management, ISO 27001 compliance, and service management best practices. Recently named IT Project Expert of the Year (2024, UK).

Leave a Comment

Iseo Blue Limited - UK Registered Company Number : 10215427 

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG