ISO 27001:2022 Annex A Control 5.29: Information Security During Disruption
Annex A control 5.29 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 17.1.1, Annex A 17.1.2 and Annex A 17.1.3.
In an effort to protect information and preserve company assets, control 5.29 advises operational adjustments for organisations to put in practice when facing disruption. Organisations must identify information security requirements to ensure business continuity in the face of disruptions.
Annex 5.29 addresses the security processes and procedures activated when a critical event or business disruption takes place.
Understanding control 5.29
Information security must be a key factor in business continuity management planning, and control 5.29 describes how organisations should create plans to maintain information security and restore it should any interruptions or system failures lead to a breach.
Returning security levels to those of pre-incident is key to preventing further damage. Control 5.29 outlines key steps for organisations to take, including:
- Develop and maintain general information security measures as part of the organisation’s overall continuity plans, including ICT frameworks and corporate systems.
- Put procedures in place to uphold information security measures during any disruption.
- Apply substitute controls where applicable to any information security attempts that cannot be sustained during an incident.
Continuity planning varies greatly, and so Annex 5.29 grants organisations the permission to apply tailored information security controls to various business interruptions. When designing a business continuity plan, organisations should pay particular attention to two areas: the divulgence of confidential information, and the accuracy, reliability and integrity of information.
What has changed since 2013?
ISO 27001:2013 includes three Annex A controls which act as precursors to the 2022 version of the standard. These are 17.1.1 (planning information security continuity), 17.1.2 (implementing information security continuity), and 17.1.3 (verify, review, and evaluate information security continuity.)
ISO have simplified their guidance to account for the complexities of business continuity plans, giving businesses greater agency in their responses. Control 5.29 does not mention incident response teams specifically, but trusts organisations to consider them when following guidance notes.
Ready to Take Control of Your Privacy Compliance?
See how Hicomply can accelerate your path to CAF compliance in a 15-minute demo.