Control 5.29 : Information Security During Disruption

Summary

The organization should plan how to maintain information security at an appropriate level during a disruption. Security controls should not be bypassed or weakened simply because the organization is operating in emergency mode.

Applicability

In-Scope: Mandatory for ensuring that a business disruption (like a power outage or system failure) does not become a security breach. It is a core part of the availability pillar of the CIA triad.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Secure Remote Access: Ensure that MFA and Conditional Access remain active even when users are forced to work from alternative locations or personal devices during a disruption.
Redundancy: Utilize Microsoft 365 Service Health dashboards and regional failover capabilities to maintain access to core communication tools (Teams/Exchange).
Emergency Accounts: Maintain break-glass accounts in Entra ID that are exempted from standard policies but are highly monitored, for use if primary admin access is lost.

Evidence Checklist

Continuity Plan (Security Section): A document detailing which security controls must remain active during a business disruption.
Alternate Site Review: Evidence that security requirements (like physical access) were considered for backup working locations.
Test Results: Records from continuity drills showing that security was maintained throughout the disruption period.

Practical Audit Advice

Here are some questions the auditor might ask:

In a disaster scenario, what is the process for ensuring that security requirements are not ignored in favor of speed of recovery?
How do you maintain the least privilege principle when staff are performing unfamiliar roles during a crisis?
What is the process for managing and monitoring the use of break-glass or emergency administrator accounts?
Can you provide evidence that security controls were tested as part of your most recent business continuity exercise?