ISM-1811 policy ASD Information Security Manual (ISM)

Secure and Resilient Data Backup Retention

Ensure backups of data and applications are stored safely and can withstand issues.

Proactive ML1 ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system management backup access control

record_voice_over

Plain language

Making sure data backups are safe and can handle unexpected problems is crucial for any organisation. If these backups aren't secure or can't be relied upon when needed, you risk losing important information due to system failures, cyber attacks, or even natural disasters.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Proactive

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for system management

Section

Data backup and restoration

Topic

Performing and Retaining Backups

Official control statement

Backups of data, applications and settings are retained in a secure and resilient manner.

policy ASD Information Security Manual (ISM) ISM-1811

priority_high

Why it matters

Inadequate backup retention increases risk of data loss after ransomware, system failure or disaster, causing extended outages and costly recovery.

settings

Operational notes

Define retention periods and immutable/offsite copies; encrypt and access-control backups; regularly test restores and review retention as systems change.

02 - Implement

build

Implementation tips

IT team should regularly schedule backups: Designate a specific person or team in your IT department to create a backup schedule that includes daily, weekly, and monthly backups. Use software solutions or automated tools to ensure these backups happen consistently without manual intervention.
System owners should store backups safely: Ensure that backups are stored in a secure location, separate from the original data. Use external hard drives, cloud storage, or off-site servers to protect backups from being compromised in a single event, like a fire or flood.
IT team should test backup restoration: Regularly test the backup restoration process to ensure that data can be retrieved in a usable state when needed. Run these tests after each major software update or at least quarterly, documenting any issues and resolutions.
Managers should implement access controls: Limit who can access and alter backup data to a minimum number of personnel. Use passwords or other forms of authentication to secure access and set permissions based on roles.
Office managers should train staff about backup procedures: Educate employees about the importance of backups and how to report any anomalies. Use easy-to-understand guidelines and visuals to demonstrate the backup process and highlight what's expected from everyone in case of an incident.

03 - Audit

fact_check

Audit / evidence tips

AskThe backup schedule documentation: Request the backup timeline and frequency as recorded by the IT team GoodIs a detailed schedule showing frequent and consistent backup intervals
AskTo see the backup storage security measures: Request a walkthrough or description of where backups are stored, including physical and virtual safeguards GoodShows proper physical and logical protections in place
AskTo review results of recent backup restoration tests: Request reports or feedback from the last set of backup restoration drills GoodOutcome is confirmed successful restorations without data loss or corruption
AskAbout staff training records on backup procedures: Request any records of training sessions held for employees on the backup process GoodIncludes evidence of regular training involving key staff members
AskTo see access control logs for backup locations: Request logs or records showing who has accessed the backup storage. Look over these logs to see if only authorised personnel had access GoodShows minimal and well-controlled access entries

04 - Mappings

link

Cross-framework mappings

How ISM-1811 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

E8

Control	Notes	Details
layers Partially meets (3) expand_less

E8-RB-ML1.6	E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups
E8-RB-ML2.2	E8-RB-ML2.2 requires that privileged accounts (excluding backup administrator accounts) cannot modify or delete backups
E8-RB-ML3.1	E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups
sync_alt Partially overlaps (1) expand_less

E8-RB-ML1.2	ISM-1811 requires backups to be retained securely and resiliently so they remain usable when needed
handshake Supports (1) expand_less

E8-RB-ML3.2	E8-RB-ML3.2 mandates that privileged accounts (excluding backup administrator accounts) cannot access their own backups
extension Depends on (1) expand_less

E8-RB-ML1.4	E8-RB-ML1.4 requires organisations to test restoration from backups to a common point in time during disaster recovery exercises
link Related (3) expand_less

E8-RB-ML1.1	E8-RB-ML1.1 covers backups performed and retained according to business continuity needs
E8-RB-ML1.3	ISM-1811 requires backups of data, applications and settings to be retained in a secure and resilient manner
E8-RB-ML3.3	ISM-1811 requires backups to be retained securely and resiliently, which includes protecting them from tampering and deletion during the ...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.