In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.29 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.29 Information Security During Disruption
ISO 27001 Annex A 5.29 requires organizations to plan how to maintain information security at an appropriate level during a disruption. When an outage or business continuity event occurs, security controls often get bypassed in the rush to restore operations. This corrective and preventive control ensures that your security posture remains intact even during a crisis. The objective is to prevent “security shortcuts” that could lead to a data breach while the organization is already vulnerable.
Core requirements for compliance include:
- Security Integration in BCP/DR: You must explicitly include information security requirements within your Business Continuity Plans (BCP) and Disaster Recovery (DR) procedures.
- Maintenance of Controls: You should aim to replicate the same level of security during a disruption as you have in normal operations. If a primary control (e.g., SSO) fails, a pre-approved Fallback Control must be ready.
- Continuity of Confidentiality & Integrity: While the focus of BCP is often on Availability, this control mandates that Confidentiality and Integrity are not sacrificed to get systems back online.
- Testing and Validation: It is not enough to have a plan; you must test it. Your business continuity exercises should include a step to verify that security controls are functioning correctly in the fallback environment.
- Lessons Learned: Following any disruption or test, you must conduct a review to identify where security was compromised and update your plans accordingly (Annex A 5.27).
Audit Focus: Auditors will look for “The Security Continuity Trail”:
- Plan Consistency: “Show me your Business Continuity Plan. Where does it describe the security controls that remain active during a failover?”
- Test Evidence: “Show me the results of your last disaster recovery test. How did you verify that data encryption and access logs were still active in the secondary environment?”
- Fallback Awareness: “If your primary VPN fails, how do staff access systems securely? What specific instructions are given to them to maintain security during this time?”
Fallback Security Checklist (Audit Prep):
| Security Scenario | Primary Control (Normal Operations) | Fallback Control (Disruption State) | ISO 27001:2022 Mapping |
|---|---|---|---|
| System Access | Enterprise Single Sign-On (SSO) with MFA. | Emergency Admin Accounts (Securely vaulted/Break-glass). | 5.29 & 5.18 (Access Rights) |
| Data Entry | Encrypted Cloud-Native Database environments. | Secure Paper Forms (Mandatory storage in Grade 1 Safes). | 5.29 & 7.10 (Storage Media) |
| Remote Access | Corporate VPN via SD-WAN with MFA enforcement. | 5G Dongles (Must utilise integrated hardware firewalls). | 5.29 & 8.20 (Network Security) |
| Physical Site | Electronic Badge Readers with centralized logging. | Physical Security Guards and Manual Sign-in Logs. | 5.29 & 7.2 (Physical Monitoring) |
Table of contents
- What is ISO 27001 Annex A 5.29?
- Watch the ISO 27001 Annex A 5.29 Tutorial
- ISO 27001 Annex A 5.29 Podcast
- ISO 27001 Annex A 5.29 Implementation Guidance
- How to implement ISO 27001 Annex A 5.29
- Fallback Security Checklist
- How to comply
- How to pass an ISO 27001 Annex A 5.29 audit
- What will an auditor check for ISO 27001 Annex A 5.29?
- Top 3 ISO 27001 Annex A 5.29 mistakes people make and how to avoid them
- Applicability of ISO 27001 Annex A 5.29 across different business models.
- Fast Track ISO 27001 Annex A 5.29 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.29 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Controls and Attribute values
What is ISO 27001 Annex A 5.29?
ISO 270001 Annex A 5.29 is Information Security During Disruption and this rule is about ensuring that information security is maintained during a disruption, outage or business continuity event.
ISO 27001 Annex A 5.29 Information Security During Disruption is an ISO 27001 control that wants you to plan and maintain information security at an appropriate level to you during disruption.
What is the purpose of ISO 27001 Annex 5.29?
The purpose of ISO 27001 Clause 5.29 is protect information and other associated assets during disruption.
What is the definition of ISO 27001 Annex 5.29?
The ISO 27001 standard defines ISO 27001 Annex A 5.29 as:
The organisation should plan how to maintain information security at an appropriate level during disruption.
ISO 27001:2022 Annex A 5.29 Information Security During Disruption
Watch the ISO 27001 Annex A 5.29 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.29 and how to pass the audit.
ISO 27001 Annex A 5.29 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.29 Information Security During Disruption. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.29 Implementation Guidance
It is my experience that the best way to implement Annex A 5.29 is to replicate the same level of information security in your business continuity plans, disaster recovery plans and disruption operations. Doing anything else, whilst you may need to and you should, will lead to a more complex environment open to a greater level of questioning come your audits.
How to implement ISO 27001 Annex A 5.29
Implementing ISO 27001 Annex A 5.29 (Control 5.29 in the 2022 update) requires a strategic shift from simple technical recovery to maintaining active security governance during a crisis. The objective is to ensure that confidentiality, integrity, and availability are not sacrificed for speed during an operational disruption. By following this action oriented workflow, organisations can build a resilient Information Security Management System (ISMS) that remains compliant even in a degraded state.
1. Formalise Security Specific Continuity Requirements
Perform a Business Impact Analysis (BIA) that explicitly identifies the security levels required for critical assets during a disruption.
- Identify critical information processing facilities and assign minimum security baselines for “failover” environments.
- Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) from a security perspective: ensuring data integrity is verified upon restoration.
- Determine which specific Annex A controls must remain operational: such as encryption and logging: regardless of the incident severity.
2. Document Security Embedded Business Continuity Plans
Develop comprehensive Business Continuity Plans (BCP) that integrate security protocols directly into the restoration procedures.
- Draft step by step instructions for technical staff that prioritise the activation of security perimeters during system reboots.
- Specify the “degraded state” protocols: such as manual authorisation processes: to be used if automated Identity and Access Management (IAM) systems are offline.
- Establish a communication plan that defines how security incidents discovered during a disruption are escalated to the CISO.
3. Provision Privileged Access and Break Glass Accounts
Set up emergency access management roles to ensure technical teams can remediate issues without bypassing security governance.
- Provision “Break Glass” accounts with temporary elevated privileges that are stored in a secure: offline vault.
- Ensure Multi Factor Authentication (MFA) remains mandatory for emergency access: utilizing hardware tokens or pre authorised bypass codes if mobile networks fail.
- Define specific IAM roles that limit emergency powers to prevent the risk of accidental or intentional data exfiltration during chaos.
4. Execute Regular Security Continuity Testing
Institutionalise a testing regime to validate that security controls remain effective when moving from primary to secondary sites.
- Validate security integrity through tabletop exercises that simulate cyber attacks occurring simultaneously with physical disruptions.
- Perform full scale technical failover tests to secondary data centres: ensuring SIEM logging and firewall rules remain consistent.
- Document every test result within a formal report: identifying gaps where security was compromised for the sake of availability.
5. Validate Post Restoration Integrity and Governance
Implement a formal process to verify system integrity and revoke emergency privileges once normal operations resume.
- Revoke all “Break Glass” access and temporary IAM permissions immediately upon the formal end of the disruption.
- Execute a full audit of the Register of Entrants (ROE) and system logs to identify any unauthorised actions taken during the crisis.
- Formalise a Post Incident Review (PIR) to update the Statement of Applicability (SoA) and continuity plans based on lessons learned.
Fallback Security Checklist
| Scenario | Primary Control (Normal) | Fallback Control (Disruption) |
| System Access | Single Sign-On (SSO). | Emergency Admin Accounts (in sealed envelope). |
| Data Entry | Encrypted Database. | Paper Forms (Must be locked in safe). |
| Remote Access | VPN + MFA. | 5G Dongles (Must have corporate firewall). |
| Physical Site | Electronic Badges. | Physical Guards + Manual Sign-in Log. |
How to comply
To comply with ISO 27001 Annex A 5.29 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Have an ISO 27001 topic specific policy for business continuity
- Implement a process for business continuity and disaster recovery
- Incorporate that process into your business operations
How to pass an ISO 27001 Annex A 5.29 audit
To pass an audit of ISO 27001 Annex A 5.29 you are going to make sure that you have followed the steps above in how to comply and be able to evidence it in operation.
- Have a business continuity plan and disaster recovery plan
- Include in the plans the requirements for information security and what is different to normal operation
- Test the plans
- Test the information security requirements are in place as designed
What will an auditor check for ISO 27001 Annex A 5.29?
The audit is going to check a number of areas. Lets go through the main ones
1. That you have documented your business continuity and disaster recovery plans
The audit will check the documentation, that you have reviewed it and signed and it off and that it represents what you actually do not what you think they want to hear.
2. That you can demonstrate the process working
They are going to ask you for evidence to the information security during a disruption and take at least one example. For this example you are going to show them and walk them through the process and prove that you followed it and that the process worked.
3. That you can learn your lesson
Documenting your lessons learnt and following this through to continual improvements or incident and corrective actions will be checked.
Top 3 ISO 27001 Annex A 5.29 mistakes people make and how to avoid them
The most common mistakes people make for ISO 27001 Annex A 5.29 are
1. Not having a documented disaster recovery and business continuity policy and plans.
This is the most common mistake made by organisations. Documentation is essential for effective incident response.
2. Not including information security requirements in the plans
There are so many mistakes that can be made but this particular requirement is about information security in a disruption so be sure you understand it and can talk to it and evidence it.
3. Not Testing
It is important to monitor its effectiveness of the information security during a disruption. This means reviewing the process, conducting internal audits and reviewing actual incidents for lessons learnt. The number one thing to do it test and be able to evidence the test.
By avoiding these mistakes, you can ensure that you have an effective collection of evidence plan in place.
Applicability of ISO 27001 Annex A 5.29 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Highly applicable for ensuring that when the office is closed or the primary server is down, security is not “turned off” to save time. The focus is on simple fallback methods that maintain data confidentiality during a crisis. |
|
| Tech Startups | Critical for ensuring that automated “failover” to secondary cloud regions doesn’t leave data unencrypted or logs unmonitored. Compliance involves integrating security checks into the Disaster Recovery (DR) automation. |
|
| AI Companies | Vital for protecting massive training datasets and proprietary model weights during high-pressure recovery events. Focus is on preventing data corruption or unauthorized exfiltration during “unstable” system states. |
|
Fast Track ISO 27001 Annex A 5.29 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.29 (Information security during disruption), the requirement is to plan how to maintain information security at an appropriate level during a disruption. This ensures that when your primary systems go down, you don’t abandon your security controls (like encryption or access logs) just to keep the business running.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Strategy Ownership | Rents access to your continuity plans; if you cancel the subscription, your documented fallback security standards vanish. | Permanent Assets: Fully editable Word/Excel Business Continuity Policies and DR Plans that you own forever. | A localized “Fallback Security Checklist” stored on your secure server defining mandatory controls during a system outage. |
| Operational Resilience | Attempts to “automate” DR via dashboards that cannot physically manage manual sign-in logs or emergency admin credentials. | Governance-First: Formalizes your existing disaster recovery workflows into an auditor-ready framework. | A completed “Continuity Test Log” proving that security controls (like encryption) remained active during a recent simulation. |
| Cost Efficiency | Charges a “Disaster Tax” based on the number of continuity plans or simulations, creating perpetual overhead. | One-Off Fee: A single payment covers your disruption governance for one small office or a global network. | Allocating budget to redundant failover sites or resilient hardware rather than monthly “continuity” dashboard fees. |
| Architectural Freedom | Mandates rigid reporting formats that often fail to account for offline processes or specialized physical security needs. | 100% Agnostic: Procedures adapt to any environment—cloud failover, hybrid stacks, or manual paper-based fallbacks. | The ability to evolve your resilience strategy (e.g., shifting to a “Work from Home” fallback) without reconfiguring a rigid SaaS module. |
Summary: For Annex A 5.29, the auditor wants to see that you have a formal plan for maintaining security during a disruption and proof that you have tested it (e.g., test logs and evidence of fallback controls). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.29 FAQ
What is ISO 27001 Annex A 5.29?
ISO 27001 Annex A 5.30 (updated as 5.29 in the 2022 version) is an organisational control that mandates information security must be maintained at a predetermined level during a disruption or disaster.
- It ensures that security controls are not abandoned during an emergency.
- It requires the identification of critical assets and their security requirements.
- It mandates that business continuity plans include specific security provisions.
- It applies to all types of disruptions, from cyber attacks to physical fires.
Is information security continuity mandatory for ISO 27001?
Yes, maintaining information security during a disruption is a mandatory requirement if your risk assessment identifies that a loss of security during an incident would impact the organisation.
- Auditors expect to see security embedded within your Business Continuity Plan (BCP).
- Failure to prove security was maintained during a test can result in a non-conformity.
- It is essential for protecting the confidentiality and integrity of data when systems are in a “failover” state.
How does 5.29 differ from 5.30 (ICT Readiness)?
The primary difference is that Control 5.29 focuses on the “security” of information during an event, whereas Control 5.30 focuses on the “recovery” and availability of the technology itself.
- 5.29: Ensuring data remains encrypted and access remains restricted during a fire.
- 5.30: Ensuring the server is back online within 4 hours (RTO).
- Both controls must work in tandem to satisfy a full ISMS audit.
Can security controls be bypassed during an emergency?
No, security controls should never be bypassed; however, ISO 27001 allows for “emergency procedures” that must be pre-defined, risk-assessed, and formally authorised.
- Bypassing MFA or encryption during a disaster creates a significant insider threat risk.
- Emergency access (Break-Glass) must be logged and audited immediately after the event.
- Documenting these “degraded state” security levels is a core part of 5.29 compliance.
What evidence do auditors expect for ISO 27001 Control 5.29?
Auditors look for verifiable proof that security was considered during business continuity planning, including test reports and documented recovery objectives.
- A Business Impact Analysis (BIA) that includes security requirements.
- Business Continuity Plans (BCP) that explicitly mention security controls.
- Post-test reports proving that security was verified during failover drills.
- Evidence of “lessons learned” from previous disruptions or tests.
How often should security continuity plans be tested?
ISO 27001 requires security continuity plans to be tested at “planned intervals” or following significant changes, which typically translates to an annual requirement.
- Annual testing is the industry standard for maintaining certification.
- Testing should be triggered by major infrastructure changes or cloud migrations.
- Tests can include tabletop exercises, simulations, or full-scale technical failovers.
Related ISO 27001 Controls
ISO 27001 Annex A 5.30 ICT Readiness For Business Continuity
ISO 27001 Annex A 5.24 Information Security Incident Management Planning and Preparation
Further Reading
The complete guide to ISO/IEC 27002:2022
ISO 27001 Change Management Policy Beginner’s Guide
ISO 27001 Business Continuity Policy Beginner’s Guide
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Corrective | Confidentiality | Protect | Continuity | Protection |
| Preventive | Integrity | Respond | Resilience | |
| Availability |
