Secure and Resilient Data Backup Retention
Ensure backups of data and applications are stored safely and can withstand issues.
Plain language
Making sure data backups are safe and can handle unexpected problems is crucial for any organisation. If these backups aren't secure or can't be relied upon when needed, you risk losing important information due to system failures, cyber attacks, or even natural disasters.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
Data backup and restorationOfficial control statement
Backups of data, applications and settings are retained in a secure and resilient manner.
Why it matters
Inadequate backup retention increases risk of data loss after ransomware, system failure or disaster, causing extended outages and costly recovery.
Operational notes
Define retention periods and immutable/offsite copies; encrypt and access-control backups; regularly test restores and review retention as systems change.
Implementation tips
- IT team should regularly schedule backups: Designate a specific person or team in your IT department to create a backup schedule that includes daily, weekly, and monthly backups. Use software solutions or automated tools to ensure these backups happen consistently without manual intervention.
- System owners should store backups safely: Ensure that backups are stored in a secure location, separate from the original data. Use external hard drives, cloud storage, or off-site servers to protect backups from being compromised in a single event, like a fire or flood.
- IT team should test backup restoration: Regularly test the backup restoration process to ensure that data can be retrieved in a usable state when needed. Run these tests after each major software update or at least quarterly, documenting any issues and resolutions.
- Managers should implement access controls: Limit who can access and alter backup data to a minimum number of personnel. Use passwords or other forms of authentication to secure access and set permissions based on roles.
- Office managers should train staff about backup procedures: Educate employees about the importance of backups and how to report any anomalies. Use easy-to-understand guidelines and visuals to demonstrate the backup process and highlight what's expected from everyone in case of an incident.
Audit / evidence tips
-
Askthe backup schedule documentation: Request the backup timeline and frequency as recorded by the IT team
Goodis a detailed schedule showing frequent and consistent backup intervals
-
Askto see the backup storage security measures: Request a walkthrough or description of where backups are stored, including physical and virtual safeguards
Goodshows proper physical and logical protections in place
-
Askto review results of recent backup restoration tests: Request reports or feedback from the last set of backup restoration drills
Goodoutcome is confirmed successful restorations without data loss or corruption
-
Askabout staff training records on backup procedures: Request any records of training sessions held for employees on the backup process
Goodincludes evidence of regular training involving key staff members
-
Askto see access control logs for backup locations: Request logs or records showing who has accessed the backup storage. Look over these logs to see if only authorised personnel had access
Goodshows minimal and well-controlled access entries
Cross-framework mappings
How ISM-1811 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| sync_alt Partially overlaps (1) expand_less | ||
| handshake Supports (1) expand_less | ||
| extension Depends on (1) expand_less | ||
| link Related (3) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.