Backup and Recovery Procedures for Data
Keep and test backups of data and systems regularly as per backup policy.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Proactive
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure you have backup copies of your important data and systems, and also about testing these backups regularly. If you don't do this, you risk losing crucial information or systems, which can seriously disrupt your business operations.
Why it matters
Without regular, tested backups, data loss from corruption or deletion could halt operations for days, risking financial and reputational damage.
Operational notes
Regularly test backups by restoring a sample to verify integrity, and confirm all critical systems and data sets are included in backup schedules.
Implementation tips
- The IT manager should create a backup plan. This plan should include what needs to be backed up, how often backups are done, and where backups are stored, aligning with the business's recovery needs as outlined in ISO 27002:2022.
- The operations team should select a secure location for storing backups. Ensure the location is far enough from the main office to not be affected by the same disaster, as recommended by ISO 27002:2022 standards.
- The IT staff should regularly test these backups. They should simulate a recovery process onto a separate test system to ensure reliability, without affecting the current live data.
- The security officer should ensure that all backups are encrypted. This is crucial when handling sensitive information, adhering to ISO 27002 and OAIC guidelines to protect privacy and comply with the Privacy Act 1988.
- The executive team should review the organisation's business continuity requirements. They need to ensure that the backup strategy aligns with these requirements, referencing standards like CPS 234 to fulfil regulatory expectations.
Audit / evidence tips
-
Ask: the backup policy document
Good: a comprehensive document that clearly aligns with business and regulatory needs
-
Ask: a demonstration of a backup recovery test
Good: a successful demonstration with documentation showing the process and results
-
Ask: to see records of backup storage locations
Good: secure, geographically separate sites that meet business continuity standards
-
Ask: about encryption measures for backups
Good: encryption technology being used that complies with current standards and regulations
-
Ask: logs of backup operation and testing
Good: regular and successful tests recorded without significant issues, showing operational capability readiness
Cross-framework mappings
How Annex A 8.13 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| E8-RB-ML1.2 | E8-RB-ML1.2 requires backups of data, applications and settings to be synchronised so restoration can occur to a common point in time | |
| E8-RB-ML1.3 | E8-RB-ML1.3 requires backups of data, applications and settings to be retained securely and in a resilient manner | |
| E8-RB-ML1.4 | E8-RB-ML1.4 mandates testing restoration from backups to a common point in time as part of disaster recovery exercises | |
| Partially overlaps (1) | ||
| E8-RB-ML1.1 | Annex A 8.13 requires maintenance and regular testing of backups under a policy | |
| Supports (1) | ||
| E8-RB-ML1.6 | E8-RB-ML1.6 requires that unprivileged accounts are prevented from modifying and deleting backups | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (4) | ||
| ISM-1515 | ISM-1515 requires testing restoration of data, applications and settings from backups to a common point in time specifically during disas... | |
| ISM-1555 | ISM-1555 requires personnel to back up remaining data, applications, and settings before taking mobile devices overseas, as part of a bro... | |
| ISM-1810 | ISM-1810 requires backups of data, applications and settings to be synchronised so restoration can occur to a common point in time | |
| ISM-1928 | Annex A 8.13 requires organisations to maintain backup copies of information, software and systems and to test them against a backup policy | |
| Partially overlaps (4) | ||
| ISM-0917 | ISM-0917 requires organisations to isolate malware-infected systems, scan potentially exposed media, attempt removal using antivirus, and... | |
| ISM-1511 | ISM-1511 requires backups of data, applications and settings to be performed and retained based on business criticality and business cont... | |
| ISM-1547 | ISM-1547 requires data backup processes and supporting procedures to be developed, implemented, and maintained | |
| ISM-1548 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| Supports (1) | ||
| ISM-1574 | ISM-1574 requires supplier contracts to document portable storage arrangements that enable backups and restoration/migration without losi... | |
| Related (1) | ||
| ISM-0042 | ISM-0042 requires organisations to develop, implement and maintain system administration procedures for effective ongoing system operations | |