Prevent Backup Access by Privileged Users
Privileged users cannot access their own data backups; only backup administrators can.
Plain language
This control means that people with special access, known as privileged users, should not be able to look at or retrieve data from their own backup files. This matters because if someone has bad intentions, they could misuse this access to manipulate data or hide certain changes, which could harm your business's integrity and trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Privileged user accounts (excluding backup administrator accounts) cannot access their own backups.
Why it matters
If privileged users can access their own backups, they can alter or delete evidence, conceal misuse and compromise integrity, auditability and compliance.
Operational notes
Enforce access controls so only backup administrator accounts can read/restore backups; routinely review ACLs and logs to detect and fix any privileged-user access.
Implementation tips
- The IT manager should ensure that only designated backup administrators have the right to access backup files. This can be done by setting up specific user permissions in the backup system, ensuring privileged users cannot see or access their own backup data.
- The HR department should clearly define roles, including backup administrator roles, in job descriptions and duties. Make sure there is a clear distinction between regular user roles and special backup administrator roles so lines are not blurred.
- System administrators should conduct regular access reviews to ensure that only backup administrators have access to backups. This involves using the backup system's access log features to review who has rights to what, adjusting permissions where necessary.
- During employee onboarding or role changes, the IT team should verify that backup access rights align with their current job roles. This means double-checking that former backup administrators or privileged users do not retain access after changing roles.
- An external security consultant could be brought in periodically to audit backup access configurations. This ensures an impartial overview and helps identify any unauthorised access or potential loopholes in the current setup.
Audit / evidence tips
-
Aska copy of the access permissions configuration for the backup system
Goodis seeing only designated backup administrators listed with these permissions
-
Goodis that failed access attempts are logged and investigated
-
Aska record of any adjustments made to backup access permissions in the last 12 months
Goodis a clean, traceable history of access adjustments
-
Goodis a clear distinction in roles and responsibilities
-
Askrecords of any security audits done on backup systems
Goodis regular audits with evidence of continual improvement and compliance
Cross-framework mappings
How ISM-1706 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.3 | Annex A 5.3 requires segregation of conflicting duties to reduce the risk of misuse and cover-up by a single individual | |
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed to prevent misuse of elevated permissions | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RB-ML2.1 | ISM-1706 requires that privileged user accounts (excluding backup administrator accounts) cannot access their own backups | |
| E8-RB-ML2.2 | ISM-1706 requires that privileged user accounts (excluding backup administrator accounts) cannot access their own backups | |
| link Related (1) expand_less | ||
| E8-RB-ML3.2 | E8-RB-ML3.2 requires that privileged accounts (other than backup administrator accounts) are unable to access their own backups | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.