Test backup restoration to a common point during disaster recovery
Ensure data and apps can be restored to a common point using backups in disaster scenarios.
Plain language
Imagine your computer system crashes, or a cyber attack hits, and you need to restore everything back to normal quickly. This control is about testing that you can actually bring back all your important data and applications from backups to the same point in time. If you don't do this, you could end up with bits and pieces missing, causing lots of headaches and maybe even loss of business.
Framework
ASD Essential Eight
Control effect
Responsive
E8 mitigation strategy
Regular backups
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.
Why it matters
Without testing restore capability, data loss and application inconsistency during a disaster could disrupt operations, leading to financial and reputational damage.
Operational notes
Incorporate backup restores into routine DR exercises to confirm timely, coordinated recovery to the same point in time, avoiding data mismatch issues.
Implementation tips
- The IT manager should schedule regular disaster recovery exercises to test backup restoration. Use these exercises to simulate real-world scenarios where all data and applications need to be restored to test the effectiveness of current backup processes.
- System administrators should ensure that backups are being made in a synchronised manner. This means checking that the data and related applications are being backed up together so that, if needed, everything can be restored to the same point in time.
- The security officer should review and implement secure storage solutions for backups. This involves encrypting backup data and storing them in locations that are secure against physical and cyber threats.
- IT staff should maintain clear records and documentation of backup processes. This includes step-by-step guides and a clear schedule for when backups are taken and tested.
- The business continuity manager should include backup testing results in their regular reports to management. This helps to communicate any gaps and ensures continual improvement of backup and recovery processes.
Audit / evidence tips
-
AskWhen was the last disaster recovery exercise conducted for backup restoration?
-
GoodA report showing a recent disaster recovery test that includes the dates, scenario tested, and results documented, including any issues encountered and resolved
-
AskHow do you ensure backups are synchronised for a common point in time restoration?
-
GoodDocumented procedures that show how and when data and applications are backed up together, ensuring they can be restored simultaneously
-
AskAre backups stored securely and in a way that supports quick recovery?
-
GoodEvidence of encryption standards being applied and documentation of secure storage locations, such as a trusted cloud provider or an off-site facility
Cross-framework mappings
How E8-RB-ML1.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.30 | E8-RB-ML1.4 involves testing restoration from backups to a common point in time during disaster recovery exercises | |
| Annex A 8.13 | E8-RB-ML1.4 mandates testing restoration from backups to a common point in time as part of disaster recovery exercises | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1555 | ISM-1555 requires creating a backup of mobile device data/applications/settings prior to overseas travel to reduce impact if the device i... | |
| handshake Supports (1) expand_less | ||
| ISM-0917 | E8-RB-ML1.4 requires organisations to test restoring data, applications, and settings from backups during disaster recovery exercises | |
| extension Depends on (5) expand_less | ||
| ISM-1511 | E8-RB-ML1.4 requires organisations to test restoring data, applications, and settings from backups to a common point in time during disas... | |
| ISM-1547 | E8-RB-ML1.4 requires testing of restoring data, applications, and settings from backups to a common point in time as part of disaster rec... | |
| ISM-1548 | E8-RB-ML1.4 requires organisations to test restoring data, applications, and settings from backups to a common point in time during disas... | |
| ISM-1810 | E8-RB-ML1.4 requires organisations to test restoring data, applications, and settings from backups to a common point in time during disas... | |
| ISM-1811 | E8-RB-ML1.4 requires organisations to test restoration from backups to a common point in time during disaster recovery exercises | |
| link Related (1) expand_less | ||
| ISM-1515 | E8-RB-ML1.4 requires organisations to test restoration of data, applications, and settings from backups to a common point in time as part... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.