Enable Data Recovery for Encrypted Data
Ensure encrypted data can be accessed if the encryption key is lost or damaged.
Plain language
This control ensures that your important data remains accessible even if something happens to damage or lose the encryption key, which is needed to unlock the data. If you don't plan for this, you could lose all your encrypted data permanently, leading to loss of critical business information, customer trust, and financial implications.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Where practical, cryptographic equipment, applications and libraries provide a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.
Why it matters
Loss of encryption keys without a recovery method can render critical encrypted data inaccessible, crippling operations and damaging business credibility.
Operational notes
Regularly test backup key recovery processes to ensure data remains accessible even when primary encryption keys are lost.
Implementation tips
-
Askthem to verify whether the software or service has features to retrieve data if the encryption key is lost
- IT teams should regularly back up encryption keys in a secure manner to prevent loss. Use a secure, off-site storage service like a trusted cloud provider or a physical safe to keep these backups safe.
- The IT manager should implement a key management policy outlining how keys are stored, accessed, and recovered. Include steps for manually recovering data if the primary key is lost, ensuring this policy is documented and accessible to the necessary personnel.
- Organisations should test recovery procedures regularly to confirm they work when needed. Conduct a trial recovery process once a quarter and document the steps and results, ensuring any issues are addressed immediately.
- System owners must ensure any application or tool that handles encryption includes a built-in method for key recovery. Verify this feature by reviewing the vendor's service agreement or product documentation and keep a copy of the relevant sections.
Audit / evidence tips
-
Askthe encryption key management policy document: Request to see any written policies that explain how encryption keys are backed up and recovered
Gooda detailed and accessible policy document with clear steps for key backup and recovery
-
Askto see records of a simulated data recovery test: Request evidence that data recovery procedures have been successfully tested
Gooddated test results indicating that recovery processes were successfully completed and any issues were resolved
-
Askvendor contracts or product documentation: Request any agreements or manuals detailing the encryption tool's recovery features
Gooda clear mention in the documentation or contract that supports key recovery features
-
Aska demonstration of the key recovery process: Request a live or recorded demonstration showing how data can be retrieved without the primary key
Gooda clear, step-by-step process that successfully retrieves data as expected
-
Askto review encryption key backup logs: Request log files or records showing regular backup of encryption keys
Goodlogs that show consistent, successful backups as per the defined policy
Cross-framework mappings
How ISM-0455 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.24 | Annex A 8.24 requires rules for cryptographic use and cryptographic key management, including availability considerations for keys and en... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.