Unprivileged accounts cannot access others' backups
Ensure that unprivileged accounts can't access other users' backups.
Plain language
This control is about making sure that people who don't have special permissions can't see or access other people’s backup files. Imagine if someone in your office could look at your personal emails or documents just because they have access to the backup system—that's a huge privacy risk. By enforcing this control, you prevent unauthorised access and potential data leaks.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Regular backups
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Unprivileged accounts cannot access backups belonging to other accounts.
Why it matters
If unprivileged users can access other users' backups, sensitive data can be exposed, causing privacy breaches and unauthorised disclosure.
Operational notes
Review backup ACLs regularly and confirm only owners/admins can read others' backup sets; investigate any cross-user access events in logs.
Implementation tips
- IT team: Set restrictive permissions on backup storage locations so only authorised users can view or access these backups.
- System administrator: Use user account management tools to ensure unprivileged accounts are not in groups with access to others' backups.
- Security officer: Conduct regular access reviews for backup files to ensure compliance with the access policy, adjusting permissions as necessary.
- System administrator: Audit backup configurations to ensure access controls are effective, reconfiguring any changes to maintain security.
Audit / evidence tips
-
AskHow do you control access to backup files?
-
GoodThere is a documented access control policy specifying who can access backup files, with permissions set to restrict access to unauthorised users
-
AskHow often do you review user access to backups?
-
GoodAccess reviews are performed quarterly, and logs show corrections made to any improper access
-
AskWhat measures are in place to prevent unauthorised access to backups?
-
GoodAudit logs show no unauthorised access attempts, and system configurations are set to deny access to unprivileged accounts
Cross-framework mappings
How E8-RB-ML1.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | E8-RB-ML1.5 requires that unprivileged accounts cannot access backups belonging to other accounts | |
| link Related (2) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires establishing and implementing rules to control access to information and associated assets | |
| Annex A 8.3 | Annex A 8.3 requires access to information and associated assets to be restricted in accordance with an access control policy | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1852 | E8-RB-ML1.5 requires that unprivileged accounts cannot access backups belonging to other accounts | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1813 | ISM-1813 requires that unprivileged user accounts cannot access their own backup data | |
| link Related (1) expand_less | ||
| ISM-1812 | ISM-1812 requires that unprivileged user accounts cannot access backups belonging to other user accounts | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.