Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.29 — Information Security During Disruption

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.29 ISO 27001ISO 27002BSI DER.4BSI-Standard 200-4

A fire destroys the primary data centre. The business continuity plan activates the backup site within hours. In the rush to restore services, the team skips the usual access control provisioning and grants everyone administrator access. The organisation is now operational — and wide open. A.5.29 ensures that information security requirements remain enforceable even when the organisation is operating in crisis mode.

Disruptions create pressure to restore services quickly. That pressure often leads to shortcuts: relaxed authentication, unencrypted data transfers, unverified backup restores. This control requires the organisation to plan for maintaining security during disruption — and to define compensating measures where standard controls cannot be sustained.

What does the standard require?

  • Integrate security into continuity planning. Business continuity plans must include information security requirements — they cannot treat security as an afterthought to be addressed once operations are restored.
  • Maintain or restore controls. Security controls must be maintained during the disruption. Where this is impossible, the organisation must implement compensating controls and document the rationale.
  • Define minimum security levels. For each critical process, specify the minimum acceptable security posture during degraded operations (e.g. which access controls must remain, which encryption requirements persist).
  • Plan the return to normal. The recovery plan includes steps for reverting from compensating controls to the standard security posture, with verification that all controls are fully operational again.
  • Test regularly. IS continuity measures must be tested at planned intervals to confirm they work as intended under realistic conditions.

In practice

Map security controls to critical processes. For each process in your business impact analysis, identify the security controls that protect it. Determine which of these controls can survive a disruption, which need manual workarounds and which require compensating measures.

Define compensating controls for degraded mode. If the primary access control system is unavailable, what replaces it? If encrypted channels are down, what alternative protects data in transit? Document these compensating controls and ensure the response team knows how to activate them.

Include IS continuity in exercises. When you run business continuity exercises, include information security scenarios. Test whether the team can maintain access controls, detect intrusions and preserve evidence while operating on backup infrastructure.

Document deviations and approvals. If security controls must be relaxed during a disruption, require formal approval (e.g. by the CISO) and set a time limit. Record the deviation, the compensating measures and the date when normal controls were fully restored.

Typical audit evidence

Auditors typically expect the following evidence for A.5.29:

  • Business continuity plans with security sections — documented minimum security requirements for each critical process during disruption
  • Compensating controls catalogue — predefined alternatives for controls that cannot be maintained during degraded operations
  • Exercise reports — evidence that IS continuity measures were tested, including results and improvements
  • Deviation records — documentation of any temporary security relaxations during actual disruptions, with approval and restoration dates
  • Recovery verification records — evidence that full security posture was restored after returning to normal operations

KPI

% of IS continuity measures tested within the last 12 months

This KPI measures the organisation’s preparedness. Track which IS continuity measures exist and which have been verified through exercises or actual disruptions within the past year. Target: 100%.

Supplementary KPIs:

  • Time to restore full security posture after disruption recovery
  • Number of security deviations during disruption events
  • Percentage of backup/failover environments with verified security control parity

BSI IT-Grundschutz

A.5.29 maps to several BSI modules covering continuity and crisis management:

  • DER.4 (Business continuity management) — requires integration of information security into BCM planning and testing.
  • DER.2.1 (Incident handling) — covers the operational response during disruptions.
  • DER.2.2 (Forensic investigation) — evidence preservation requirements during disruptions.
  • DER.2.3 (Remediation of security incidents) — post-disruption recovery and control restoration.
  • BSI-Standard 200-4 — comprehensive framework for business continuity management including IT and information security aspects.

A.5.29 connects security to the continuity management framework:

Sources

Frequently asked questions

What types of disruptions does A.5.29 cover?

Any event that significantly impacts normal operations: natural disasters, infrastructure failures, cyberattacks, pandemics, supply chain breakdowns. The control applies regardless of the cause -- the point is that security requirements remain in force even when operations are degraded.

Can security controls be temporarily relaxed during a crisis?

In some cases, yes -- the standard acknowledges that certain controls may not be maintainable during a disruption. The key requirement is that compensating controls are in place and that any temporary relaxation is documented, approved and time-limited. Reverting to full security posture must be part of the recovery plan.

How does A.5.29 relate to business continuity management?

A.5.29 is the information security perspective on business continuity. It ensures that BCM plans explicitly address security requirements -- that recovery does not happen at the expense of confidentiality, integrity or availability of information. A.5.30 adds the ICT infrastructure dimension.