Skip to content
Control Stack logo Control Stack
E8-RB-ML3.1 ASD Essential Eight

Unprivileged accounts cannot access their own backups

Ensure basic user accounts are unable to access or manage their backup data.

Preventative ML3 Essential EightE8 Regular BackupsMaturity Level 3Access controlBackups

🏛️ Framework

ASD Essential Eight

🧭 Control effect

Preventative

🛠️ E8 mitigation strategy

Regular backups

🔐 Classifications

N/A

🗓️ Official last update

N/A

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML3

Official control statement
Unprivileged accounts cannot access their own backups.

Source: ASD Essential Eight

Plain language

This control ensures that basic, everyday user accounts in an organisation can't get into or mess with their own backup data. This is important because if an unprivileged user accidentally or purposely tampers with their backups, critical information might be lost or corrupted, especially in situations like ransomware attacks.

Why it matters

Uncontrolled backup access by unprivileged users can lead to loss or corruption of data, increasing recovery time and business disruption during attacks.

Operational notes

Regularly review access controls and audit logs to ensure unprivileged accounts remain isolated from their backups, preventing misuse or tampering.

Implementation tips

  • System administrator should restrict backup access by configuring permissions so that unprivileged user accounts cannot view or manage their own backup files.
  • IT team should regularly review and update user account permissions to ensure they do not have access to their backup data, using a simple checklist or audit tool.
  • Security officer should implement and enforce a role-based access control policy that separates backup management privileges from basic user accounts.
  • IT manager should provide training to employees about the importance of backup security and the possible risks associated with unauthorised access.
  • Backup administrator should set up alerts or monitoring to detect any attempts by unprivileged accounts to access backups, using simple tools available within the backup solution.
  • Compliance officer should ensure documentation exists that outlines the organisation’s backup security policies and procedures, making it clear who has access to what.

Audit / evidence tips

  • Ask: Does the organisation have policies that prevent unprivileged accounts from accessing their own backups?

  • Good: Policies clearly prevent access, and permissions are appropriately restricted with logs showing compliance

  • Ask: How often does the organisation review these access policies and permissions?

  • Good: Regular reviews are conducted with documented findings and actions taken, dated within the last six months

Cross-framework mappings

How E8-RB-ML3.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 5.15 E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups
Annex A 8.3 E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups

ASD ISM

Control Notes Details
Partially meets (1)
ISM-1811 E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups
Related (1)
ISM-1813 E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups

Mapping detail

Mapping

Direction

Controls