Prevent Backup Modifications by Unprivileged Users
Only authorised users can change or delete backups, keeping data safe from unauthorised access.
Plain language
This control ensures that only authorised people can make changes to or delete backups of important data. This matters because if backups are tampered with or deleted by mistake or maliciously, you could lose critical data permanently, which can disrupt your business and cost you money.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
Data backup and restorationOfficial control statement
Unprivileged user accounts are prevented from modifying and deleting backups.
Why it matters
If unprivileged users can alter or delete backups, attackers can erase recovery points, causing permanent data loss and outages.
Operational notes
Restrict backup repositories to backup admins only; use immutable/WORM storage, MFA, and regularly audit delete/modify permissions.
Implementation tips
- The IT team should set up user permissions so that only specific, trusted employees can access and modify backups. They can do this by using software tools that let them assign roles and permissions, ensuring that regular employees don't have access to change or delete backups.
- Business owners should decide who should have the authority to change backups. They should work with their IT team to make sure this list is kept up-to-date and that the chosen employees understand their responsibilities.
- System administrators should regularly review who has access to backup systems. They should use access logs to check that only those with the right permissions are using the backup systems, and immediately remove access for anyone who no longer needs it.
- Office managers should create a data handling policy that includes a section on backup management. This policy should be shared with all staff to clarify who can manage backups and why protecting them is crucial.
- The IT support team should install software that alerts them when someone tries to access backups without the right permissions. This can include setting up email alerts or dashboard notifications to quickly respond to any unauthorised attempts.
Audit / evidence tips
- AskA list of user access permissions for backup systems GoodOnly authorised personnel have permissions to modify or delete backups
- GoodA clear, documented process with regular reviews and updates
- AskRecords of access logs to the backup systems GoodAll access logs show only authorised users accessing the backup systems as expected
- GoodAll staff involved in backup management have completed relevant training sessions
- AskA recent alert log from the backup system GoodAlerts were generated for unauthorised attempts, and prompt responses were logged
Cross-framework mappings
How ISM-1814 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.3 | ISM-1814 requires that unprivileged user accounts are prevented from modifying and deleting backups | |
| handshake Supports (1) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires protection of records from loss and destruction as well as unauthorised changes | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RB-ML2.2 | E8-RB-ML2.2 requires controls that prevent privileged accounts (except backup administrators) from modifying or deleting backups | |
| E8-RB-ML3.3 | E8-RB-ML3.3 requires that backup administrator accounts cannot modify or delete backups during their retention period | |
| link Related (1) expand_less | ||
| E8-RB-ML1.6 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.