Backups retained securely and resiliently
Ensure backups are kept securely and can withstand failures.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Responsive
🛠️ E8 mitigation strategy
Regular backups
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML1
Backups of data, applications and settings are retained in a secure and resilient manner.
Source: ASD Essential Eight
Plain language
This control ensures that backups of your important data, applications, and settings are kept safe and can be easily recovered if something goes wrong. It's vital because if you lose your data due to a system failure or a cyber attack, secure backups are the only way to get your business back on track without incurring significant losses.
Why it matters
Without secure, resilient backups, cyber incidents can cause permanent data loss, prolonged downtime and significant financial harm.
Operational notes
Regularly verify backup integrity and test restores; keep backups protected from deletion/encryption (e.g., offline/immutable copies) to ensure reliable recovery.
Implementation tips
- IT team: Identify which data, applications, and settings are critical to the business. Do this by consulting with different departments to understand their needs and dependencies.
- System administrator: Set up regular backup schedules for these critical elements. Use a reliable backup tool or service that supports encryption to keep the data secure.
- Security officer: Ensure that backup data is encrypted both during transfer and when stored. This can be done by using backup software with built-in encryption options.
- IT team: Routinely test the backup restoration process to ensure data can be recovered. This involves performing a trial run of restoring a backup to make sure it works as expected.
- System administrator: Protect backup access by ensuring only authorised personnel can modify or delete them. Set user permissions in your backup system to restrict access.
Audit / evidence tips
-
Ask: How often are backups performed and what is backed up?
-
Good: A detailed schedule showing frequent backups of all critical data, applications, and settings
-
Ask: Are backups encrypted to ensure their security?
-
Good: Backup logs show data is encrypted during transfer and while stored
-
Ask: How do you test that backup restorations work?
-
Good: Reports from routine tests showing successful recovery of data to its original state
Cross-framework mappings
How E8-RB-ML1.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.13 | E8-RB-ML1.3 requires backups of data, applications and settings to be retained securely and in a resilient manner | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| ISM-1511 | ISM-1511 requires backups of data, applications and settings to be performed and retained in accordance with business criticality and bus... | |
| ISM-1547 | ISM-1547 requires organisations to develop, implement and maintain data backup processes and procedures | |
| ISM-1810 | ISM-1810 requires synchronised backups to enable restoration to a common point in time across data, applications and settings | |
| Supports (2) | ||
| ISM-1548 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| ISM-1769 | ISM-1769 requires the use of AES with strong key lengths, preferably AES-256, when AES is used for encryption | |
| Depends on (1) | ||
| ISM-1515 | ISM-1515 requires regular testing of restoring from backups to a common point in time as part of disaster recovery exercises | |
| Related (2) | ||
| ISM-1811 | ISM-1811 requires backups of data, applications and settings to be retained in a secure and resilient manner | |
| ISM-1928 | E8-RB-ML1.3 requires backups of data, applications and settings to be retained securely and in a resilient manner | |