Test Backup Restoration During Disaster Recovery
Backups should be restored regularly to ensure data can be retrieved in case of a disaster.
Plain language
This control ensures that you regularly test your backup systems to make sure you can recover important data if something goes wrong, like a cyber attack or a natural disaster. It's crucial because if backups can't be restored when needed, you could lose critical business information, which could be devastating to your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
Data backup and restorationOfficial control statement
Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.
Why it matters
Failure to test backup restoration can prevent recovery to a common point in time, causing data loss, prolonged outage, and reputational harm.
Operational notes
During DR exercises, restore data, applications and settings to a common point in time and validate integrity, access and RTO/RPO results; record and fix gaps.
Implementation tips
- IT team should schedule regular backup restoration exercises. They can start by selecting a non-critical system and restoring its data from backups in a test environment to check that everything works as expected.
- System owners should document the restoration process. Note every step taken during the restoration exercise, from accessing backup files to completing the restoration, so that this process can be followed easily in the future.
- Managers should allocate time and resources for these exercises. Ensure teams have necessary permissions and tools to execute the restoration without delays, prioritising it as part of risk management activities.
- IT team should simulate varied disaster scenarios. By testing restoration under different circumstances, like server failures or network outages, they ensure backups work in all kinds of situations.
- Staff training should include backup restoration protocols. Conduct hands-on workshops to familiarise relevant staff with the procedures for conducting restorations successfully.
Audit / evidence tips
-
Askdocumentation of recent backup restoration tests. Review the documents for details about the date, systems involved, and outcomes of the restoration exercises
Goodincludes evidence that tests were performed regularly and successfully, with any issues noted and addressed
-
Askto observe an actual backup restoration exercise
Goodobservation shows a smooth process where the team follows documented steps without confusion
-
Askrecords of any restoration issues and how they were resolved
Goodrecord will show timely resolutions and improvements made to prevent similar issues
-
Askfeedback from staff who participated in restoration tests
Goodwould include positive feedback and suggestions for improvement, showing an engaged and informed staff
-
Aska list of systems included in tests
Goodlist shows comprehensive coverage and schedules that ensure all important systems are regularly tested
Cross-framework mappings
How ISM-1515 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.13 | ISM-1515 requires testing restoration of data, applications and settings from backups to a common point in time specifically during disas... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RB-ML1.1 | ISM-1515 requires organisations to test restoring from backups to a common point in time as part of disaster recovery exercises | |
| extension Depends on (2) expand_less | ||
| E8-RB-ML1.2 | ISM-1515 requires organisations to test restoring data, applications and settings from backups to a common point in time during disaster ... | |
| E8-RB-ML1.3 | ISM-1515 requires regular testing of restoring from backups to a common point in time as part of disaster recovery exercises | |
| link Related (1) expand_less | ||
| E8-RB-ML1.4 | E8-RB-ML1.4 requires organisations to test restoration of data, applications, and settings from backups to a common point in time as part... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.