Backups aligned with business continuity needs
Ensure backups match business needs and help restore data after incidents.
Plain language
This control is about making sure your business has backups that align with your company's needs and can be used to restore everything if something goes wrong, like a cyberattack or a system crash. It's crucial because without proper backups, you could lose important data and have a hard time recovering your operations.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Regular backups
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.
Why it matters
Without reliable backups, data loss could halt operations, causing financial losses and damaging reputation if recovery after incidents is delayed.
Operational notes
Regularly verify backup integrity and test restores against business continuity targets so critical data, applications and settings can be recovered within required timeframes.
Implementation tips
- IT team should identify critical data, applications, and settings that need regular backups. They can do this by reviewing the business continuity plan and prioritising items based on their importance to operations.
- System administrators should schedule regular backups according to the priorities set. They can use backup software to automate the process and ensure it aligns with the business's operational timelines.
- Security officers should ensure that backups are stored securely. This involves encrypting the backup files and storing them in a secure location, like a cloud service with robust security measures.
- IT team should conduct routine tests of the backup restoration process. They should perform these tests at least annually as part of disaster recovery exercises to make sure data can be restored quickly and effectively.
- Network administrators should restrict backup access. They need to set permissions so that only authorised personnel can view and manage backups, preventing unauthorised users from altering them.
Audit / evidence tips
- AskHow often are backups conducted and retained? GoodThere is a clear schedule that aligns with the organisation's critical needs, and it is documented
- AskHow is backup restoration tested? GoodRegular restoration tests are conducted, with post-exercise reports available showing successful recovery
- AskWhat measures protect backups from unauthorised access? GoodBackup access is limited to authorised personnel only, with detailed access logs to confirm this
Cross-framework mappings
How E8-RB-ML1.1 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.13 | Annex A 8.13 requires maintenance and regular testing of backups under a policy | |
| link Related (1) expand_less | ||
| Annex A 5.30 | Annex A 5.30 requires ICT readiness to be planned, implemented, maintained and tested based on business continuity objectives and ICT con... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1555 | ISM-1555 requires personnel to prepare mobile devices for overseas travel by recording device details, updating software, removing non-es... | |
| handshake Supports (4) expand_less | ||
| ISM-0734 | ISM-0734 involves the CISO contributing to BC/DR plans so critical services are supported during disasters | |
| ISM-1515 | ISM-1515 requires organisations to test restoring from backups to a common point in time as part of disaster recovery exercises | |
| ISM-1547 | E8-RB-ML1.1 dictates backups aligned with continuity needs | |
| ISM-1548 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| link Related (2) expand_less | ||
| ISM-1511 | E8-RB-ML1.1 necessitates backups to align with business criticality and continuity needs | |
| ISM-1811 | E8-RB-ML1.1 covers backups performed and retained according to business continuity needs | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.