Conduct and Maintain Regular Data Backups
Ensure data backups are done based on business importance and kept for future recovery needs.
Plain language
Regularly backing up your business data is like saving a copy of your important documents just in case something goes wrong, like a computer crash or a cyber attack. If you don't do this, you might permanently lose valuable information, leading to disruptions or even financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
Data backup and restorationOfficial control statement
Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.
Why it matters
Without regular backups and retention aligned to business continuity needs, data, apps and settings may be unrecoverable after compromise or failure.
Operational notes
Define backup frequency and retention per system criticality; include applications and configuration; regularly test restores and verify integrity.
Implementation tips
- Business owner should identify critical data: Determine what data is essential for daily operations or compliance. This involves listing every piece of information that would cause a nightmare if lost, such as customer records, financial documents, and operational data.
- IT team should schedule regular backups: Set up a routine for automatic data backups to make sure they happen regularly without fail. This can be done using backup software that copies all crucial data to a secure off-site location or a cloud service.
- Office manager should review backup locations: Ensure that backups are stored in multiple places, not just on the same computer or server. This means using external hard drives stored off-site or a reliable cloud service to prevent data loss from incidents like office fires or burglaries.
- Procurement should buy appropriate backup solutions: Choose backup solutions that fit the size and needs of the business. This might involve purchasing external hard drives for small offices or subscribing to a cloud storage service for larger data needs.
- Manager should test recovery: Regularly test that you can restore data from backups. Do this by following the steps to recover files and verifying they're complete and accessible, ensuring that backups are actually useful in case of an emergency.
Audit / evidence tips
-
Askthe data backup policy document: Request to see the written policy that outlines how often and what type of backups are performed
Goodincludes a clear schedule and covers all business-critical data
-
Askrecent backup logs: Request logs of recent backups to confirm they are regularly occurring
Goodshows consistent entries with no large time gaps between backups
-
Askto see the backup storage locations: Request a demonstration or confirmation of where backups are stored
Goodincludes multiple, secure locations like a cloud service and an off-site physical drive
-
Askthe backup recovery test records: Request documentation of recent backup recovery tests to ensure backups can be restored
Gooddetails a recent successful test with confirmation that data was recovered
-
Askabout any problems encountered during backup or recovery: Request a report of any recent issues with the backup process
Goodincludes detailed problem descriptions and measures taken to prevent them again
Cross-framework mappings
How ISM-1511 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.30 | ISM-1511 requires organisations to perform and retain backups of data, applications and settings in line with business criticality and bu... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.13 | ISM-1511 requires backups of data, applications and settings to be performed and retained based on business criticality and business cont... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RB-ML1.2 | E8-RB-ML1.2 requires synchronising backups across data, applications and settings to enable restoration to a common point in time | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RB-ML1.3 | ISM-1511 requires backups of data, applications and settings to be performed and retained in accordance with business criticality and bus... | |
| extension Depends on (1) expand_less | ||
| E8-RB-ML1.4 | E8-RB-ML1.4 requires organisations to test restoring data, applications, and settings from backups to a common point in time during disas... | |
| link Related (1) expand_less | ||
| E8-RB-ML1.1 | E8-RB-ML1.1 necessitates backups to align with business criticality and continuity needs | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.