Develop and Maintain Data Restoration Processes
Organisations must create and keep updated processes for restoring data.
Plain language
Organisations need to have clear methods for bringing back their data if it's lost or damaged. This is important because losing important information can disrupt operations and lead to financial and reputational damage. By having a reliable plan, you can ensure that everything runs smoothly even after unexpected problems.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
Data backup and restorationOfficial control statement
Data restoration processes, and supporting data restoration procedures, are developed, implemented and maintained.
Why it matters
Without documented restoration processes, data loss events can cause extended outages, missed RTO/RPOs and reputational harm.
Operational notes
Regularly test restoration procedures; document roles, RTOs/RPOs, backup locations, required tools, and system dependencies for recovery.
Implementation tips
- IT team should create a detailed plan for data restoration that includes the types of data to restore and the processes for doing so. This plan should be written in simple language and easily accessible to anyone who might need it.
- Managers should make sure that the data restoration plan is regularly reviewed and updated as needed. This means scheduling reviews twice a year to incorporate any changes in the organisation's data storage or backup procedures.
- Staff responsible for data should run regular practice drills to test the data restoration processes. They can do this by simulating a data loss scenario and following the restoration plan to ensure everything works as expected.
- Business owners should ensure that there is a clear chain of command for who is responsible during a data restoration event. This can be done by having a list of contact details and duties is compiled and circulated to the relevant team members.
- Procurement officers should ensure that any external backup solutions or services are in line with the restoration processes set by the organisation. They need to regularly check that third-party services can restore data within the necessary timeframes.
Audit / evidence tips
-
Askthe organisation's data restoration plan: Verify that it includes detailed steps for how data will be restored
Goodwill be a comprehensive plan easily understood by non-technical staff
-
Askrecords of data restoration drills or tests: Check for documentation of when these tests were conducted and what the outcomes were. Good evidence of compliance includes regular tests with successful restoration times recorded
-
Askto see the policy regarding data backup and restoration responsibilities
-
Askto see contracts or agreements with external backup providers: Ensure these align with the organisation's data restoration timelines and procedures
Goodcontract will have clear service level agreements (SLAs) that match organisational needs
-
Askmeeting notes from twice-yearly reviews of the data restoration plan: Look to see if updates were discussed and made in response to changes in the organisation or technology. Good evidence will show continuous improvement and adaptation
Cross-framework mappings
How ISM-1548 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.13 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| handshake Supports (1) expand_less | ||
| Annex A 5.30 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RB-ML1.2 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| handshake Supports (2) expand_less | ||
| E8-RB-ML1.1 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| E8-RB-ML1.3 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| extension Depends on (1) expand_less | ||
| E8-RB-ML1.4 | E8-RB-ML1.4 requires organisations to test restoring data, applications, and settings from backups to a common point in time during disas... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.