A.5.29 Information Security During Disruption
What is this control?
ISO 27001 control A.5.29 Information Security During Disruption protects information and maintains service availability during disruptive events including physical site disruptions and technical disruptions. The Business Continuity Plan is integrated into the organisation’s cloud-native architecture with work-from-anywhere strategy leveraging Microsoft 365 and Entra ID. Security controls are location-agnostic via Conditional Access, Intune device compliance, and Entra Global Secure Access.
How to implement in Microsoft 365
Implement A.5.29 by documenting a Business Continuity Plan in SharePoint defining work-from-anywhere strategy for office disruptions, responsibilities and escalation paths during disruption, and recovery procedures for various scenarios. Configure Microsoft Entra Conditional Access policies requiring MFA and risk checks for all locations. Deploy Microsoft Intune device compliance policies enforcing encryption and antivirus on all endpoints.
Configure Entra Global Secure Access for secure remote network access independent of location. Establish AvePoint Cloud Backup for Microsoft 365 data with multiple-times-daily backup frequency. Schedule annual BCP tests including office unavailability tabletop exercise and test restore from backups.
What an auditor looks for
Auditors will verify a formal BCP document stored in SharePoint, approved, containing work-from-anywhere strategy. They will check Conditional Access policy configuration in Entra ID showing MFA is required for all locations. Auditors will review Intune compliance policies showing encryption and AV requirements for all devices.
They will verify Entra Global Secure Access configuration for remote network access. Auditors will check AvePoint backup configuration showing multiple-times-daily backup frequency. They will verify BCP Test Report dated within 12 months documenting both tabletop exercise and restore test.