All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Information security during disruption

Annex A control 5.29 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 17.1.1, Annex A 17.1.2, and Annex A 17.1.3.

In an effort to protect information and preserve company assets, control 5.29 advises operational adjustments for organisations to put in practice when facing disruption. Organisations must identify information security requirements to ensure business continuity in the face of disruptions.

Annex 5.29 addresses the security processes and procedures activated when a critical event or business disruption takes place.

Understanding control 5.29

Information security must be a key factor in business continuity management planning, and control 5.29 describes how organisations should create plans to maintain information security and restore it should any interruptions or system failures lead to a breach.

Returning security levels to those of pre-incident is key to preventing further damage. Control 5.29 outlines key steps for organisations to take, including:

  1. Develop and maintain general information security measures as part of the organisation’s overall continuity plans, including ICT frameworks and corporate systems.
  2. Put procedures in place to uphold information security measures during any disruption.
  3. Apply substitute controls where applicable to any information security attempts that cannot be sustained during an incident.

Continuity planning varies greatly, and so Annex 5.29 grants organisations the permission to apply tailored information security controls to various business interruptions. When designing a business continuity plan, organisations should pay particular attention to two areas: the divulgence of confidential information, and the accuracy, reliability and integrity of information.

What has changed since 2013?

ISO 27001:2013 includes three Annex A controls which act as precursors to the 2022 version of the standard. These are 17.1.1 (planning information security continuity), 17.1.2 (implementing information security continuity), and 17.1.3 (verify, review, and evaluate information security continuity.)

ISO have simplified their guidance to account for the complexities of business continuity plans, giving businesses greater agency in their responses. Control 5.29 does not mention incident response teams specifically, but trusts organisations to consider them when following guidance notes.