Unprivileged accounts cannot access their own backups
Ensure basic user accounts are unable to access or manage their backup data.
Plain language
This control ensures that basic, everyday user accounts in an organisation can't get into or mess with their own backup data. This is important because if an unprivileged user accidentally or purposely tampers with their backups, critical information might be lost or corrupted, especially in situations like ransomware attacks.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Regular backups
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Unprivileged accounts cannot access their own backups.
Why it matters
Uncontrolled backup access by unprivileged users can lead to loss or corruption of data, increasing recovery time and business disruption during attacks.
Operational notes
Regularly review access controls and audit logs to ensure unprivileged accounts remain isolated from their backups, preventing misuse or tampering.
Implementation tips
- System administrator should restrict backup access by configuring permissions so that unprivileged user accounts cannot view or manage their own backup files.
- IT team should regularly review and update user account permissions to ensure they do not have access to their backup data, using a simple checklist or audit tool.
- Security officer should implement and enforce a role-based access control policy that separates backup management privileges from basic user accounts.
- IT manager should provide training to employees about the importance of backup security and the possible risks associated with unauthorised access.
- Backup administrator should set up alerts or monitoring to detect any attempts by unprivileged accounts to access backups, using simple tools available within the backup solution.
- Compliance officer should ensure documentation exists that outlines the organisation’s backup security policies and procedures, making it clear who has access to what.
Audit / evidence tips
-
AskDoes the organisation have policies that prevent unprivileged accounts from accessing their own backups?
-
GoodPolicies clearly prevent access, and permissions are appropriately restricted with logs showing compliance
-
AskHow often does the organisation review these access policies and permissions?
-
GoodRegular reviews are conducted with documented findings and actions taken, dated within the last six months
Cross-framework mappings
How E8-RB-ML3.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups | |
| Annex A 8.3 | E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups | |
ASD ISM
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.