The basics
ISO 27001 control A.5.29 Information security during disruption requires companies to maintain information security activities on proper levels during disruptive events, in order to keep information protected even during critical failure of operations.
Documentation
ISO 27001 control A.5.29 Information security during disruption can be documented:
- for smaller companies by writing a Disaster Recovery Plan
- for mid-sized and larger organizations by writing Business Impact Analysis and Business Continuity Strategy
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.5.29 Information security during disruption you might implement the following:
- Technology — the technology to enable information security continuity during disruption range from redundant assets (e.g., redundant communication links, secondary servers, etc.) to security activities (e.g., recovering firewalls). Companies of all sizes need to plan the continuity of information security based on risk assessment and how quickly they need security functions to be recovered.
- Organization/processes — you should set up a process for planning, maintaining, and recovering your security, as well as testing activities defined in your disaster recovery and/or business continuity plans. You can document those processes through a Disaster Recovery Plan, a Business Impact Analysis, or Business Continuity Strategy.
- People — make employees aware of why the continuity of security activities during disruption is needed, and train them on how to execute plans to recover all required systems within recovery time objectives.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.29 Information security during disruption: if plans exist to maintain information security activities on proper levels during disruptive events.
