Skip to content
arrow_back
ISM-1708
search
ISM-1708 policy ASD Information Security Manual (ISM)

Prevent Backup Modifications During Retention

Backup administrators cannot change or delete backups until the retention period ends.

Preventative ML3 NC OS P ASD Information Security ManualGuidelines for system managementbackupdata retention
record_voice_over

Plain language

This control means that once backups are created, no one is allowed to change or delete them until a certain amount of time has passed. This is important because if backups could be changed or erased too early, you might lose important data that you need to recover from disasters or unexpected problems.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML3

Guideline

Guidelines for system management

Section

Data backup and restoration

Topic

Backup Modification and Deletion

Official control statement

Backup administrator accounts are prevented from modifying and deleting backups during their retention period.
policy ASD Information Security Manual (ISM) ISM-1708
priority_high

Why it matters

Backup modifications during retention risk data loss, undermining recovery efforts post-incident and increasing operational and reputational damage.

settings

Operational notes

Implement immutability for backups to prevent changes. Scheduled audits ensure backup integrity and the effectiveness of role-based restrictions.

build

Implementation tips

  • IT manager should create clear policies: The IT manager should develop and implement policies that specify how and when backups can be accessed and modified. This can be done by creating a set of rules that are communicated clearly to all staff involved in backup processes.
  • Backup administrator should set up restrictions: The backup administrator should configure the backup systems to automatically block any modifications or deletions until after the retention period. This might involve using built-in features of backup software that enforce this protection.
  • Business owner should engage with IT suppliers: The business owner should ensure that any outsourced IT services or cloud providers are aware of your retention policies and have controls in place to enforce them. This could involve checking contracts and discussing how they implement retention protections.
  • Finance team should budget for storage: The finance team should allocate sufficient budget to ensure storage costs are covered for the set retention period. This will involve forecasting the storage needs based on current usage and future growth.
  • HR should train staff: The HR team should organize training sessions for all employees involved in handling backups. The training should cover the importance of the retention period and how they can help maintain these policies.
fact_check

Audit / evidence tips

  • Askthe backup policy document: Request the official organisation policy document that explains how backups are managed, including the retention period

    Goodis a clearly written policy outlining retention times and prohibiting early deletion or modification

  • Aska demonstration of backup system settings: Request the backup administrator show the settings in the backup software that enforce retention periods

    Goodis a system configuration that clearly prevents changes or deletions until after the designated period

  • Askcommunication logs with IT suppliers: Request any logs or communications confirming that IT suppliers understand and enforce your backup retention policies

    Goodis documentation showing supplier acknowledgement and compliance with the retention policy

  • Askstorage invoices and budget forecasts: Request financial records showing budget allocations for backup storage that account for full retention periods

    Goodshows a match between budgeted funds and expected storage costs over retention periods

  • Askstaff training records: Request the training materials and attendance records for staff involved in the backup process

    Goodincludes detailed training programs with signed attendance sheets indicating who was trained and when

link

Cross-framework mappings

How ISM-1708 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

E8

Control Notes Details
sync_alt Partially overlaps (2) expand_less
E8-RB-ML1.6 E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups
E8-RB-ML2.2 E8-RB-ML2.2 requires that privileged accounts (excluding backup administrator accounts) cannot modify or delete backups
handshake Supports (1) expand_less
E8-RB-ML3.2 ISM-1708 requires that backup administrator accounts are prevented from modifying or deleting backups during their retention period
link Related (1) expand_less
E8-RB-ML3.3 ISM-1708 requires that backup administrator accounts are prevented from modifying or deleting backups during their retention period

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls