Information Security During Disruption - ISO 27001 Annex A Control

ISO 27001 Annex A 5.29

Disruption tests information security - the controls have to hold under pressure.

ISO 27001 Annex A 5.29 - Information Security During Disruption

Information security has a habit of slipping during disruption. When systems are down, when staff are working from unfamiliar locations, when emergency procedures are in play, the temptation to bypass controls "just for now" is real. The control says that does not happen by accident - the organisation has to plan in advance how security is maintained when normal operations are disrupted.

The plan needs to cover the practical scenarios. Loss of primary location, loss of key systems, loss of suppliers, loss of staff. For each scenario, what security controls need to remain operational, which can be temporarily relaxed and which become more important than usual. A well-prepared plan answers these questions before the disruption hits.

The control sits alongside business continuity but with an information security focus. Business continuity asks how the business keeps running during disruption. Annex A 5.29 asks how information security is maintained while the business keeps running, which is a different question with a different set of answers.

Disruption is the moment when information security is tested. Anyone can apply controls when everything is running normally. The question is what happens when the office is unreachable, the main systems are down or half the team is unavailable. If the answer is that the team would figure it out as they go, that is a finding. If there is a plan that addresses these scenarios specifically, the control is in place.

Practical Compliance Guidance

Information security during disruption is described in the IMS1 manual at section 8.2 alongside business continuity arrangements. The business continuity register holds the planning record.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-IMS21 Business Continuity Register	The register of business continuity scenarios and arrangements. Use to document the information security position for each scenario - what controls remain in place, what changes and how the position returns to normal.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How is this control different from business continuity?

Business continuity addresses how the business keeps running during disruption. A.5.29 addresses how information security is maintained during that disruption - what controls stay in place, which can be temporarily adjusted, and how the security position is restored once normal operations resume.

Can security controls be temporarily relaxed during disruption?

Some can, with explicit authorisation and documented rationale. The plan should identify which controls might need temporary adjustment and what compensating measures apply during the period. After the disruption, the position should be reviewed and the original controls restored or formally changed.

Should the plan be tested?

Yes. Testing reveals gaps the plan did not anticipate. For most organisations, including information security questions in the wider business continuity testing programme is sufficient - what controls actually held up, what got bypassed, what additional protection was needed.

Further Resources