Develop and Maintain Data Backup Procedures
Ensure data backup processes and procedures are created, used, and kept up to date.
Plain language
Backing up your data means making extra copies of important files and storing them somewhere safe. This matters because if your main copy is lost or corrupted, due to something like hacking or accidental deletion, you could lose important information and end up with big problems. Regular backups are your safety net to recover quickly and keep things running smoothly.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
Data backup and restorationOfficial control statement
Data backup processes, and supporting data backup procedures, are developed, implemented and maintained.
Why it matters
Without robust backup procedures, data loss from cyber attacks or system failures can disrupt operations and damage reputation.
Operational notes
Verify backups weekly, ensuring data integrity and restoration capability; automate tests and monitor for anomalies.
Implementation tips
- Business owners should identify all critical data and systems that need backing up by assessing which files and applications are crucial to business operations. This can be done by listing out all the data types and their importance to daily functions.
- The IT team should choose the right backup methods and schedule, such as daily backups to a secure cloud service. This involves evaluating available backup solutions, considering both cost and reliability, and implementing the choice that fits best with the business needs.
- Managers should ensure the backup process is documented in simple terms so anyone responsible can understand and follow the steps. Create a clear, step-by-step guide that includes how to start a backup, where backups are stored, and who to contact if something goes wrong.
- System administrators should regularly test backup restorations to ensure they can actually recover data when needed. This means periodically selecting a backup file and attempting to restore it to check for any issues.
- The IT team should keep track of backup logs and audits to spot any irregularities or failures in the process. Setting up automatic logging can help, and reviewing these logs monthly can ensure problems are caught early.
Audit / evidence tips
-
Askthe data backup policy document: Request to see written policies that outline how and when data backups occur
GoodA detailed, up-to-date policy that covers frequency, responsibility, and scope of data backup
-
Aska recent backup schedule: Request a copy of the backup calendar or schedule
GoodA regularly updated schedule that matches the backup policy with completed entries for past backups
-
Aska successful restoration test report: Request evidence showing that data restoration from a backup has been tested recently
GoodA report confirming the full restoration of data without errors, including any corrective actions taken if issues were found
-
Askaccess to backup logs: Request logs that show backup activities over the past few months
GoodLogs showing regular and error-free backups, with any issues documented and resolved quickly
-
Askevidence of backup storage security: Request information on how backup data is protected while stored
GoodDocumentation or demonstration showing secure storage practices, such as encrypted backups and restricted access
Cross-framework mappings
How ISM-1547 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.30 | Annex A 5.30 requires ICT readiness for business continuity to be planned, implemented, maintained and tested against business continuity... | |
| Annex A 8.13 | Annex A 8.13 requires backup copies of information, software and systems to be maintained and regularly tested in accordance with an agre... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RB-ML1.2 | ISM-1547 requires organisations to develop, implement, and maintain data backup processes and procedures | |
| E8-RB-ML1.3 | ISM-1547 requires organisations to develop, implement and maintain data backup processes and procedures | |
| handshake Supports (1) expand_less | ||
| E8-RB-ML1.1 | E8-RB-ML1.1 dictates backups aligned with continuity needs | |
| extension Depends on (1) expand_less | ||
| E8-RB-ML1.4 | E8-RB-ML1.4 requires testing of restoring data, applications, and settings from backups to a common point in time as part of disaster rec... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.