top of page

ISO27001:2022 - A5.29 Information security during disruption

When an incident occurs, the way you operate will likely need to change. This is where your contingency processes are utilised, which help you to continue to operate affectively.  But are you thinking about information security during a disruption?


This control requires you to do just that.  It is a control which will need to be considered, and evidenced in several places, which is why you should also ensure you review the following related controls to ensure you’re dealing effectively with A5.29.


·        A5.28 - Collection of evidence.

·        A5.30 - ICT Readiness for Business Continuity.


What does the standard require?

The standard states that “The organisation shall plan how to maintain information security at an appropriate level during disruption.” (A5.29 – Information security during disruption).


Note here that it talks about ‘appropriate levels’ so we need to understand what these levels are.



Why is this required?

When there is a disruption which affects your business, your contingency plans will most likely change the way you process data. During the Pandemic, offices and businesses were forced to work from home as ‘lock down’ prevented us from operating from our normal place of operation.


We heard of some organisations who hadn’t planned for such an event, and they were forced to use old equipment, or hurridly buy hardware for their staff to work from home. Some businesses purchased software which was for ‘home use only’, and therefore breached licence agreements, and others used equipment with no malware protection.


Clearly, information security during a disruption at any level wasn’t in place here!


When a disruption occurs, you are automatically in a vulnerable position and can lead to vulnerabilities within your business and therefore could lead to further disruption or incidents because security hasn’t been considered.


What the auditor is looking for

The auditor will want to review your Incident Response and Business Continuity Plans and see that any contingency plans have considered information security.  Although this might not be explicitly stated, the auditor should be skilled enough to see that your contingency actions will not introduce new vulnerabilities, or lead to a breach of security.


For example, if your contingency plan for a physical outage is to use the free WIFI available at the local coffee shop, then this may not be seen to be a secure way of working and could lead to a further incident.

The auditor will also expect to see consideration for information security during an event, within your supplier agreements.  This may include details on escalation and communication during an event, so that the disruption can be handled effectively.


What do you need to do?

If you haven’t done so already, you need to document your Incident Response and Business Continuity Plans and ensure any contingency actions do not introduce new risks or introduce vulnerabilities to your business.


Don’t be too rigid here. The way security works or the tools you use can adapt, when faced with a disruptive event. What the control is asking for, is that you plan on how you will maintain security. Don’t be afraid to adapt.


We would also advise that you review critical supplier agreements to understand what they say about contingency plans, and what they will do in the event of a disruption. You may need them to change their plans or identify (and accept) that a risk will arise because of a contingency action.



Q & A

How can we evidence this in our plans?

This needs to be evidenced through the contingency actions you’ve selected. It should be clear what you will do given a certain situation, and this will be evident you (and the auditor) if contingency arrangements have not considered information security.


Difficulty rating

We rate this a 1 out of 5 difficulty rating. This control requires no technical skills.  You simply need to review your Incident Response and Business Continuity Plans, and supplier agreements to ensure any contingency arrangements do no introduce vulnerabilities to your business.


More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.



1 view0 comments


bottom of page