Maintain information security during disruptions
Plan to keep information secure even when normal operations are interrupted.
Plain language
Imagine your business hits a snag, like a power outage or a cyber attack. This control is about making sure your important information stays safe and sound during such disruptions. If you don't plan for these hiccups, you could lose data or leak confidential information, which can harm your reputation and cost you money.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
The organization shall plan how to maintain information security at an appropriate level during disruption.
Why it matters
During disruptions, weakened controls and ad‑hoc workarounds can expose data, enable unauthorised access, and cause compliance and reputational damage.
Operational notes
Regularly test disruption scenarios (DR, outages) to ensure access controls, backups, logging, and secure comms remain effective; brief staff on secure workarounds.
Implementation tips
- The IT manager should develop a business continuity plan that includes information security measures. Identify critical data and systems, and decide how you'll protect them if there's a disruption. Use ISO 27002:2022 as a guide, and consider regulations like the Australian Privacy Act for requirements on protecting personal data.
- The HR department should train all staff on what to do during disruptions to ensure they understand how to keep information secure. Conduct training sessions that focus on quick responses to threats and practical steps to take, ensuring compliance with your plan.
- The Board should review and approve the business continuity plan, ensuring it aligns with organisational priorities. Regularly evaluate the plan’s effectiveness during simulated disruptions and update it based on these tests.
- The IT team should set up compensating security controls for systems that are vulnerable during outages or cyber incidents. This might involve backup systems or isolation techniques to ensure data remains intact and secure throughout any problems.
- The COO should ensure regular testing of continuity procedures to confirm that they work as expected in real-life scenarios. Use lessons learned from these tests to refine and improve procedures, maintaining an up-to-date status in alignment with ISO 27001 and ISO 22301 guidelines.
Audit / evidence tips
-
AskRequest the business continuity plan, including information security strategies.
GoodThe plan is comprehensive, covering all critical data and has been approved by senior management with regular updates and reviews documented.
-
AskAsk for records of staff training sessions related to information security during disruptions.
GoodTraining records show that all relevant staff have attended sessions specific to their role and the information is up-to-date.
-
AskRequest evidence of testing the business continuity plan.
GoodDocumentation shows regular, realistic tests of continuity measures with action points addressed in follow-up reviews.
-
AskAsk for logs or reports showing compensating controls during recent disruptions.
GoodReports indicate clear usage of backup systems or other controls that effectively maintained data security during actual or simulated disruptions.
-
AskRequest the minutes from Board meetings where the continuity plan was reviewed.
GoodMinutes reflect a proactive approach by the Board to review, discuss, and authorise updates to the business continuity plan based on current risks.
Cross-framework mappings
How Annex A 5.29 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-MF-ML2.12 | Annex A 5.29 requires planning to maintain information security during disruptions | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0043 | Annex A 5.29 requires planning to maintain information security at an appropriate level during disruption | |
| ISM-0576 | Annex A 5.29 requires the organisation to plan for maintaining information security during disruptions | |
| ISM-0734 | Annex A 5.29 requires the organisation to plan how to maintain information security at an appropriate level during disruptions | |
| handshake Supports (3) expand_less | ||
| ISM-0570 | ISM-0570 requires that backup or alternative email gateways are maintained to the same standard as the primary email gateway to avoid sec... | |
| ISM-1123 | ISM-1123 requires UPS-backed power delivery for TOP SECRET IT equipment to improve resilience to power outages and maintain availability | |
| ISM-2006 | Annex A 5.29 requires the organisation to plan for maintaining information security at an appropriate level during disruptions | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.