Prevent unprivileged accounts from modifying and deleting backups
Ensure non-admin users cannot change or remove backup files.
Plain language
This control is about making sure that regular staff members can't change or delete important backup files. Just think about how bad it would be if a virus or a mistake wiped out all your company's critical data. These backups are your safety net, and you want only trusted staff to have the power to alter them.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Regular backups
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Unprivileged accounts are prevented from modifying and deleting backups.
Why it matters
Without this control, insiders or malware could modify or delete backups, preventing recovery after ransomware or outages and causing major data loss.
Operational notes
Restrict backup delete/modify rights to backup admins only; enforce separate accounts/MFA and regularly audit permissions to keep backups immutable.
Implementation tips
- IT team: Review user permissions on the backup system to ensure that only administrators can modify or delete backup files. Use permission settings in the backup software to enforce this.
- System administrator: Set up alerts to notify when backup files are accessed or attempted to be modified. Use available logging features in the backup management tool to monitor access.
- Security officer: Regularly audit user accounts and their permissions to ensure compliance with backup access policies. Conduct this review quarterly.
- IT team: Use encryption for backup files so that even if accessed, they cannot be easily modified or corrupted. Set up encryption through the backup system settings.
Audit / evidence tips
-
AskWhat measures are in place to prevent non-admin users from modifying backups?
-
GoodLogs show that only admin accounts have write permissions on backups, and logs are routinely checked for unauthorised access attempts
-
AskHow often are user permissions reviewed?
-
GoodPermissions for backup access are reviewed every three months, with documented outcomes
Cross-framework mappings
How E8-RB-ML1.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires records to be protected against loss, destruction, falsification, unauthorised access and unauthorised release | |
| Annex A 8.13 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires access control policies and procedures that govern who can access and change information and systems | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1811 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1707 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| ISM-1708 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| ISM-1928 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| link Related (1) expand_less | ||
| ISM-1814 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.