Skip to content
arrow_back
E8-RB-ML3.1
search
E8-RB-ML3.1 bolt ASD Essential Eight

Unprivileged accounts cannot access their own backups

Ensure basic user accounts are unable to access or manage their backup data.

Preventative ML3 Essential EightRegular backupsbackupaccess control
record_voice_over

Plain language

This control ensures that basic, everyday user accounts in an organisation can't get into or mess with their own backup data. This is important because if an unprivileged user accidentally or purposely tampers with their backups, critical information might be lost or corrupted, especially in situations like ransomware attacks.

Framework

ASD Essential Eight

Control effect

Preventative

E8 mitigation strategy

Regular backups

Classifications

N/A

Official last update

N/A

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML3

Official control statement

Unprivileged accounts cannot access their own backups.
bolt ASD Essential Eight E8-RB-ML3.1
priority_high

Why it matters

Uncontrolled backup access by unprivileged users can lead to loss or corruption of data, increasing recovery time and business disruption during attacks.

settings

Operational notes

Regularly review access controls and audit logs to ensure unprivileged accounts remain isolated from their backups, preventing misuse or tampering.

build

Implementation tips

  • System administrator should restrict backup access by configuring permissions so that unprivileged user accounts cannot view or manage their own backup files.
  • IT team should regularly review and update user account permissions to ensure they do not have access to their backup data, using a simple checklist or audit tool.
  • Security officer should implement and enforce a role-based access control policy that separates backup management privileges from basic user accounts.
  • IT manager should provide training to employees about the importance of backup security and the possible risks associated with unauthorised access.
  • Backup administrator should set up alerts or monitoring to detect any attempts by unprivileged accounts to access backups, using simple tools available within the backup solution.
  • Compliance officer should ensure documentation exists that outlines the organisation’s backup security policies and procedures, making it clear who has access to what.
fact_check

Audit / evidence tips

  • AskDoes the organisation have policies that prevent unprivileged accounts from accessing their own backups?
  • GoodPolicies clearly prevent access, and permissions are appropriately restricted with logs showing compliance
  • AskHow often does the organisation review these access policies and permissions?
  • GoodRegular reviews are conducted with documented findings and actions taken, dated within the last six months
link

Cross-framework mappings

How E8-RB-ML3.1 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (2) expand_less
Annex A 5.15 E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups
Annex A 8.3 E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups

ASD ISM

Control Notes Details
layers Partially meets (1) expand_less
ISM-1811 E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups
link Related (1) expand_less
ISM-1813 E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls