This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.29 Information security during disruption.
ISO 27001: 2022 Control Description
The organisation shall plan how to maintain information security at an appropriate level during disruption.
Purpose
To protect information and other associated assets during disruption.
Guidance
The organisation should determine its requirements for adapting information security controls during disruption. Information security requirements should be integrated into the business continuity management processes.
Plans should be developed, implemented, tested, reviewed, and evaluated to maintain or restore the security of information for critical business processes following an interruption or failure. The security of information should be restored to the required level within the necessary timeframes.
The organisation should implement and maintain:
a) information security controls, supporting systems, and tools within business continuity and ICT continuity plans;
b) processes to maintain existing information security controls during disruption;
c) compensating controls for information security controls that cannot be maintained during disruption.
Other Information
In the context of business continuity and ICT continuity planning, it may be necessary to adapt the information security requirements depending on the type of disruption, as compared to normal operational conditions. As part of the business impact analysis and risk assessment conducted within business continuity management, the consequences of loss of confidentiality and integrity of information should be considered and prioritised alongside the need for maintaining availability.