Skip to content
arrow_back
ISM-1813
search
ISM-1813 policy ASD Information Security Manual (ISM)

Prevent Unauthorised User Access to Backup Data

Ensure that regular user accounts cannot view or restore their own backup files for security reasons.

Preventative ML3 NC OS P ASD Information Security ManualGuidelines for system managementaccess controlbackup
record_voice_over

Plain language

This control ensures that regular users can't access, view, or restore the backup files of their own data. This matters because if anyone could see or modify their backups, it could lead to sensitive information being accidentally shared or altered, which could harm the entire organisation by making data unreliable or exposing it to competitors.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML3

Guideline

Guidelines for system management

Section

Data backup and restoration

Topic

Backup Access

Official control statement

Unprivileged user accounts cannot access their own backups.
policy ASD Information Security Manual (ISM) ISM-1813
priority_high

Why it matters

If unprivileged users can access their own backups, they could recover deleted data and exfiltrate sensitive information outside normal access controls.

settings

Operational notes

Ensure backup repositories and restore tools are restricted to privileged roles; test that standard user accounts cannot list, read or restore their own backups.

build

Implementation tips

  • The IT team should set up access restrictions in the backup system so that only designated administrators can view and manage backup files. They can do this by configuring user roles specifically in the backup software to prevent regular users from obtaining access.
  • System administrators need to implement a policy that clearly defines who can access backups and what actions they are permitted to perform. This involves updating the company’s existing security protocols and ensuring only administrators have backup access rights.
  • Managers should conduct training sessions to educate staff about why they cannot access their own backup files. This can be done through regular meetings or informational emails explaining the security reasons behind these restrictions.
  • IT managers should regularly review the list of users with backup access to ensure compliance with policies. This involves checking user roles and permissions in the backup system and revoking access that is no longer necessary.
  • The security team should set up alerts to notify them of any unauthorized access attempts to the backup system. This can be achieved by configuring monitoring software to log access attempts and report unusual activities immediately.
fact_check

Audit / evidence tips

  • AskThe current backup access policy document: Ensure the document is up-to-date and specifies who has access and under what conditions GoodIncludes a policy document with clear roles assigned and signed approval
  • GoodShould have a limited, justified number of users with backup permissions
  • AskA demonstration of user access restrictions in the backup system: Verify that only authorised users can access the backup files GoodIs a system setup where only specific admin roles can access backups
  • GoodShows no incidents of unauthorised access or a record of prompt responses to alerts
  • AskStaff training records regarding backup access policies: Verify that regular training sessions are conducted and that employees understand why they can't access their backups GoodIncludes complete training records with dated sessions and signed attendance
link

Cross-framework mappings

How ISM-1813 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.3 ISM-1813 requires that unprivileged user accounts cannot access their own backup data
link Related (1) expand_less
Annex A 5.15 Annex A 5.15 requires rules and procedures to control logical access to information assets

E8

Control Notes Details
sync_alt Partially overlaps (2) expand_less
E8-RB-ML1.5 ISM-1813 requires that unprivileged user accounts cannot access their own backup data
E8-RB-ML3.2 ISM-1813 requires that unprivileged user accounts cannot access their own backup data
link Related (1) expand_less
E8-RB-ML3.1 E8-RB-ML3.1 requires that unprivileged accounts cannot access their own backups

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls