Backups retained securely and resiliently
Ensure backups are kept securely and can withstand failures.
Plain language
This control ensures that backups of your important data, applications, and settings are kept safe and can be easily recovered if something goes wrong. It's vital because if you lose your data due to a system failure or a cyber attack, secure backups are the only way to get your business back on track without incurring significant losses.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Regular backups
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Backups of data, applications and settings are retained in a secure and resilient manner.
Why it matters
Without secure, resilient backups, cyber incidents can cause permanent data loss, prolonged downtime and significant financial harm.
Operational notes
Regularly verify backup integrity and test restores; keep backups protected from deletion/encryption (e.g., offline/immutable copies) to ensure reliable recovery.
Implementation tips
- IT team: Identify which data, applications, and settings are critical to the business. Do this by consulting with different departments to understand their needs and dependencies.
- System administrator: Set up regular backup schedules for these critical elements. Use a reliable backup tool or service that supports encryption to keep the data secure.
- Security officer: Ensure that backup data is encrypted both during transfer and when stored. This can be done by using backup software with built-in encryption options.
- IT team: Routinely test the backup restoration process to ensure data can be recovered. This involves performing a trial run of restoring a backup to make sure it works as expected.
- System administrator: Protect backup access by ensuring only authorised personnel can modify or delete them. Set user permissions in your backup system to restrict access.
Audit / evidence tips
- AskHow often are backups performed and what is backed up?
- GoodA detailed schedule showing frequent backups of all critical data, applications, and settings
- AskAre backups encrypted to ensure their security?
- GoodBackup logs show data is encrypted during transfer and while stored
- AskHow do you test that backup restorations work?
- GoodReports from routine tests showing successful recovery of data to its original state
Cross-framework mappings
How E8-RB-ML1.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.13 | E8-RB-ML1.3 requires backups of data, applications and settings to be retained securely and in a resilient manner | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1511 | ISM-1511 requires backups of data, applications and settings to be performed and retained in accordance with business criticality and bus... | |
| ISM-1547 | ISM-1547 requires organisations to develop, implement and maintain data backup processes and procedures | |
| ISM-1810 | ISM-1810 requires synchronised backups to enable restoration to a common point in time across data, applications and settings | |
| handshake Supports (2) expand_less | ||
| ISM-1548 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| ISM-1769 | ISM-1769 requires the use of AES with strong key lengths, preferably AES-256, when AES is used for encryption | |
| extension Depends on (1) expand_less | ||
| ISM-1515 | ISM-1515 requires regular testing of restoring from backups to a common point in time as part of disaster recovery exercises | |
| link Related (2) expand_less | ||
| ISM-1811 | ISM-1811 requires backups of data, applications and settings to be retained in a secure and resilient manner | |
| ISM-1928 | E8-RB-ML1.3 requires backups of data, applications and settings to be retained securely and in a resilient manner | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.