In this ultimate how to audit guide to ISO 27001 Annex A 5.29 Information Security During Disruption, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Information Security Requirements in BC/DR Plans Verified
- 2. Crisis Management Security Roles and Authorities Confirmed
- 3. Security Control Implementation During Disruption Validated
- 4. Emergency Remote Access Security Integrity Verified
- 5. Information Security Continuity Drill Evidence Identified
- 6. Secure Recovery and Restoration Procedures Present
- 7. Evidence of Security Incident Logging During Crisis Confirmed
- 8. Critical Third-party Continuity Security Alignment Verified
- 9. Maintenance of Physical Security During Recovery Confirmed
- 10. Post-Disruption Security Review and Improvement Validated
Auditing ISO 27001 Annex A 5.29 is a technical evaluation of an organization’s capability to maintain information security continuity during adverse situations. The Primary Implementation Requirement mandates that security controls remain operational during disruptions, providing the Business Benefit of resilient protection against opportunistic cyber-attacks during crises.
1. Information Security Requirements in BC/DR Plans Verified
Verification Criteria: Business Continuity (BC) and Disaster Recovery (DR) plans must explicitly include information security requirements that remain applicable during a disruption.
Required Evidence: Approved BC/DR plans containing a dedicated section for “Information Security Maintenance” or “Security during Crisis.”
Pass/Fail Test: If the BC/DR plans focus solely on system availability and omit requirements for confidentiality and integrity during a crisis, mark as Non-Compliant.
2. Crisis Management Security Roles and Authorities Confirmed
Verification Criteria: Personnel responsible for maintaining security during a disruption are formally identified, with clear authorities to enforce security protocols under emergency conditions.
Required Evidence: Crisis Management Team (CMT) structure or RACI matrix specifying security-specific roles during a BC event.
Pass/Fail Test: If the organisation cannot identify a specific individual with the authority to veto an insecure “emergency” workaround, mark as Non-Compliant.
3. Security Control Implementation During Disruption Validated
Verification Criteria: Existing security controls (e.g., access control, encryption, logging) are maintained or replaced by equally effective compensatory controls during the disruption.
Required Evidence: Technical configuration standards for “Emergency Operating Mode” or logs showing active security monitoring during a previous drill.
Pass/Fail Test: If security controls (such as MFA or firewall rules) are intentionally disabled to facilitate faster recovery without a formal risk waiver, mark as Non-Compliant.
