GRCWatch
Sign inStart free trial

ISO 27001 Control 5.29: Information Security During Disruption

Disruptions happen—cyberattacks, natural disasters, system failures. ISO 27001 5.29 requires you to plan, document, and test how your organization maintains information security when normal operations are compromised. This control ensures your security posture doesn't collapse when it matters most.

What this means

Control 5.29 mandates that organizations develop and maintain continuity plans specifically designed to preserve information security during disruptions. This goes beyond generic business continuity—it's about ensuring confidentiality, integrity, and availability of data even when systems fail or incidents occur. The control requires both planning and active testing to validate that your continuity measures actually work under stress.

How to comply

  1. 1.Document information security continuity objectives and recovery time/recovery point targets aligned to business criticality
  2. 2.Develop detailed continuity plans covering backup systems, alternate processing sites, data recovery procedures, and communication protocols
  3. 3.Identify critical information assets and define minimum security controls required during disruptions
  4. 4.Establish escalation procedures and incident communication chains for different disruption scenarios
  5. 5.Test continuity plans annually through tabletop exercises, simulations, or full-scale drills involving relevant stakeholders
  6. 6.Document test results, identify gaps, and update plans based on findings and lessons learned
  7. 7.Assign clear roles and responsibilities for continuity plan activation and execution

Evidence auditors look for

  • Business continuity and disaster recovery plans with information security requirements explicitly documented
  • Testing schedule and completed test reports showing annual continuity plan validation
  • Recovery procedures for critical data (backup restoration, encrypted recovery keys, alternate access methods)
  • Alternate processing site agreements or cloud failover configurations with security specifications
  • Incident communication templates and escalation matrices
  • Risk assessments identifying information assets critical to continuity
  • Minutes from continuity plan reviews and updates post-testing

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates continuity plan documentation, tracks annual testing schedules, stores test evidence in a centralized audit repository, and flags when updates are overdue—eliminating spreadsheet chaos and ensuring your disruption plans stay current and auditable.

See how GRCWatch handles this control automatically

Start free trial