Prevent unprivileged accounts from modifying and deleting backups
Ensure non-admin users cannot change or remove backup files.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Regular backups
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
ML1
Unprivileged accounts are prevented from modifying and deleting backups.
Source: ASD Essential Eight
Plain language
This control is about making sure that regular staff members can't change or delete important backup files. Just think about how bad it would be if a virus or a mistake wiped out all your company's critical data. These backups are your safety net, and you want only trusted staff to have the power to alter them.
Why it matters
Without this control, insiders or malware could modify or delete backups, preventing recovery after ransomware or outages and causing major data loss.
Operational notes
Restrict backup delete/modify rights to backup admins only; enforce separate accounts/MFA and regularly audit permissions to keep backups immutable.
Implementation tips
- IT team: Review user permissions on the backup system to ensure that only administrators can modify or delete backup files. Use permission settings in the backup software to enforce this.
- System administrator: Set up alerts to notify when backup files are accessed or attempted to be modified. Use available logging features in the backup management tool to monitor access.
- Security officer: Regularly audit user accounts and their permissions to ensure compliance with backup access policies. Conduct this review quarterly.
- IT team: Use encryption for backup files so that even if accessed, they cannot be easily modified or corrupted. Set up encryption through the backup system settings.
Audit / evidence tips
-
Ask: What measures are in place to prevent non-admin users from modifying backups?
-
Good: Logs show that only admin accounts have write permissions on backups, and logs are routinely checked for unauthorised access attempts
-
Ask: How often are user permissions reviewed?
-
Good: Permissions for backup access are reviewed every three months, with documented outcomes
Cross-framework mappings
How E8-RB-ML1.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Supports (2) | ||
| Annex A 5.33 | Annex A 5.33 requires records to be protected against loss, destruction, falsification, unauthorised access and unauthorised release | |
| Annex A 8.13 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| Related (1) | ||
| Annex A 5.15 | Annex A 5.15 requires access control policies and procedures that govern who can access and change information and systems | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| ISM-1811 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| Partially overlaps (3) | ||
| ISM-1707 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| ISM-1708 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| ISM-1928 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
| Related (1) | ||
| ISM-1814 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |