Maintain information security during disruptions
Plan to keep information secure even when normal operations are interrupted.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 Maturity levels
N/A
The organization shall plan how to maintain information security at an appropriate level during disruption.
Source: ISO/IEC 27001:2022
Plain language
Imagine your business hits a snag, like a power outage or a cyber attack. This control is about making sure your important information stays safe and sound during such disruptions. If you don't plan for these hiccups, you could lose data or leak confidential information, which can harm your reputation and cost you money.
Why it matters
During disruptions, weakened controls and ad‑hoc workarounds can expose data, enable unauthorised access, and cause compliance and reputational damage.
Operational notes
Regularly test disruption scenarios (DR, outages) to ensure access controls, backups, logging, and secure comms remain effective; brief staff on secure workarounds.
Implementation tips
- The IT manager should develop a business continuity plan that includes information security measures. Identify critical data and systems, and decide how you'll protect them if there's a disruption. Use ISO 27002:2022 as a guide, and consider regulations like the Australian Privacy Act for requirements on protecting personal data.
- The HR department should train all staff on what to do during disruptions to ensure they understand how to keep information secure. Conduct training sessions that focus on quick responses to threats and practical steps to take, ensuring compliance with your plan.
- The Board should review and approve the business continuity plan, ensuring it aligns with organisational priorities. Regularly evaluate the plan’s effectiveness during simulated disruptions and update it based on these tests.
- The IT team should set up compensating security controls for systems that are vulnerable during outages or cyber incidents. This might involve backup systems or isolation techniques to ensure data remains intact and secure throughout any problems.
- The COO should ensure regular testing of continuity procedures to confirm that they work as expected in real-life scenarios. Use lessons learned from these tests to refine and improve procedures, maintaining an up-to-date status in alignment with ISO 27001 and ISO 22301 guidelines.
Audit / evidence tips
-
Ask: Request the business continuity plan, including information security strategies.
Good: The plan is comprehensive, covering all critical data and has been approved by senior management with regular updates and reviews documented.
-
Ask: Ask for records of staff training sessions related to information security during disruptions.
Good: Training records show that all relevant staff have attended sessions specific to their role and the information is up-to-date.
-
Ask: Request evidence of testing the business continuity plan.
Good: Documentation shows regular, realistic tests of continuity measures with action points addressed in follow-up reviews.
-
Ask: Ask for logs or reports showing compensating controls during recent disruptions.
Good: Reports indicate clear usage of backup systems or other controls that effectively maintained data security during actual or simulated disruptions.
-
Ask: Request the minutes from Board meetings where the continuity plan was reviewed.
Good: Minutes reflect a proactive approach by the Board to review, discuss, and authorise updates to the business continuity plan based on current risks.
Cross-framework mappings
How Annex A 5.29 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| E8-MF-ML2.12 | Annex A 5.29 requires planning to maintain information security during disruptions | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| ISM-0043 | Annex A 5.29 requires planning to maintain information security at an appropriate level during disruption | |
| ISM-0576 | Annex A 5.29 requires the organisation to plan for maintaining information security during disruptions | |
| ISM-0734 | Annex A 5.29 requires the organisation to plan how to maintain information security at an appropriate level during disruptions | |
| Supports (3) | ||
| ISM-0570 | ISM-0570 requires that backup or alternative email gateways are maintained to the same standard as the primary email gateway to avoid sec... | |
| ISM-1123 | ISM-1123 requires UPS-backed power delivery for TOP SECRET IT equipment to improve resilience to power outages and maintain availability | |
| ISM-2006 | Annex A 5.29 requires the organisation to plan for maintaining information security at an appropriate level during disruptions | |