Skip to content
AuditFront
A.5.29 ISO 27001

ISO 27001 A.5.29: Information security during disruption

What This Control Requires

The organization shall plan how to maintain information security at an appropriate level during disruption.

In Plain Language

When things go wrong - a natural disaster, a major cyberattack, a pandemic forcing everyone remote overnight - there is enormous pressure to just get things working again. Security controls get bypassed because someone needs access now. And that is exactly when attackers strike, because they know your guard is down. This control is about planning in advance how you will maintain security during disruptions. Which controls are absolutely non-negotiable even in a crisis? Which ones can be temporarily relaxed if you put compensating measures in place? How do you get back to normal security levels once the disruption is over? Different scenarios affect security differently. A pandemic changes your physical security model but data protection still applies. A disaster recovery scenario might need temporary access relaxations, but logging and monitoring become even more important. You need to think through these scenarios before you are living them.

How to Implement

Integrate security requirements into your business continuity and disaster recovery planning. The BCP should explicitly address how security controls will be maintained or adapted during each type of disruption. Run a security impact analysis for each major disruption scenario in your continuity plan. For each one, identify which controls are affected, which must be maintained no matter what, which can be temporarily reduced with compensating measures, and what new security risks the disruption itself creates. Document the minimum acceptable security posture for each scenario. Write security procedures for common disruption types. For pandemic or mass remote working: make sure VPN and remote access controls can scale, verify endpoint security on home devices, keep authentication and access control standards in place. For disaster recovery: maintain access controls even in emergency mode, protect backup data, verify recovered systems are securely configured. For cyber incidents: keep security tight on unaffected systems while you deal with the compromised ones. Create a formal process for temporarily modifying security controls during disruptions. Any relaxation needs management authorisation, documentation of the justification and compensating measures, a defined expiry date, and monitoring for abuse. Log every temporary modification. Include security restoration in your recovery process. After a disruption, systematically restore all controls to normal. Verify every temporary modification has been reversed. Run a security review to check for compromises that may have slipped through during the disruption. Test restored controls to confirm they are working properly.

Evidence Your Auditor Will Request

  • Business continuity plan sections addressing information security during disruption
  • Security impact analysis for major disruption scenarios
  • Procedures for temporarily modifying security controls with authorization requirements
  • Records of security maintenance during actual disruptions
  • Post-disruption security review and restoration records

Common Mistakes

  • Business continuity plans do not address information security maintenance during disruption
  • Security controls are bypassed during disruptions without authorization or documentation
  • No analysis of how different disruption scenarios affect security controls
  • Temporary security modifications made during disruptions are not reversed after recovery
  • Security is not included in disaster recovery testing scenarios

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC7.5 Partial overlap
SOC 2 A1.2 Related
NIS2 Art.21(2)(c) Related

Frequently Asked Questions

How do we balance security with operational recovery during a disruption?
Pre-planning is the answer. Decide in advance which controls are non-negotiable (authentication, encryption, logging) and which can be temporarily dialled back with compensating measures. This way you are making informed risk-based decisions in advance, not panicked ad hoc calls under pressure. Any relaxation should be formally authorised, documented, time-limited, and watched closely. The worst outcome is blanket "turn everything off so we can get back online" - that is how you end up with a second incident on top of the first.
Should security be included in business continuity exercises?
Without question. If your BC exercise does not test whether security holds up during the disruption scenario, you are only testing half the picture. Include scenarios that verify access controls work in your DR environment, that security monitoring continues during failover, that remote working controls can handle the load, and that your team can respond to a security incident while simultaneously managing a broader disruption. These compound scenarios are closer to reality than testing either one in isolation.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment