Backup and Recovery Procedures for Data
Keep and test backups of data and systems regularly as per backup policy.
Plain language
This control is about making sure you have backup copies of your important data and systems, and also about testing these backups regularly. If you don't do this, you risk losing crucial information or systems, which can seriously disrupt your business operations.
Framework
ISO/IEC 27001:2022
Control effect
Proactive
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
Why it matters
Without regular, tested backups, data loss from corruption or deletion could halt operations for days, risking financial and reputational damage.
Operational notes
Regularly test backups by restoring a sample to verify integrity, and confirm all critical systems and data sets are included in backup schedules.
Implementation tips
- The IT manager should create a backup plan. This plan should include what needs to be backed up, how often backups are done, and where backups are stored, aligning with the business's recovery needs as outlined in ISO 27002:2022.
- The operations team should select a secure location for storing backups. Ensure the location is far enough from the main office to not be affected by the same disaster, as recommended by ISO 27002:2022 standards.
- The IT staff should regularly test these backups. They should simulate a recovery process onto a separate test system to ensure reliability, without affecting the current live data.
- The security officer should ensure that all backups are encrypted. This is crucial when handling sensitive information, adhering to ISO 27002 and OAIC guidelines to protect privacy and comply with the Privacy Act 1988.
- The executive team should review the organisation's business continuity requirements. They need to ensure that the backup strategy aligns with these requirements, referencing standards like CPS 234 to fulfil regulatory expectations.
Audit / evidence tips
- AskThe backup policy document GoodA comprehensive document that clearly aligns with business and regulatory needs
- AskA demonstration of a backup recovery test GoodA successful demonstration with documentation showing the process and results
- AskTo see records of backup storage locations GoodSecure, geographically separate sites that meet business continuity standards
- AskAbout encryption measures for backups GoodEncryption technology being used that complies with current standards and regulations
- AskLogs of backup operation and testing GoodRegular and successful tests recorded without significant issues, showing operational capability readiness
Cross-framework mappings
How Annex A 8.13 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| sync_alt Partially overlaps (1) expand_less | ||
| handshake Supports (2) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| ISM-1515 | ISM-1515 requires testing restoration of data, applications and settings from backups to a common point in time specifically during disas... | |
| ISM-1555 | ISM-1555 requires personnel to back up remaining data, applications, and settings before taking mobile devices overseas, as part of a bro... | |
| ISM-1810 | ISM-1810 requires backups of data, applications and settings to be synchronised so restoration can occur to a common point in time | |
| ISM-1928 | Annex A 8.13 requires organisations to maintain backup copies of information, software and systems and to test them against a backup policy | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-0917 | ISM-0917 requires organisations to isolate malware-infected systems, scan potentially exposed media, attempt removal using antivirus, and... | |
| ISM-1511 | Annex A 8.13 requires backup copies of information, software and systems to be maintained and regularly tested in line with an agreed bac... | |
| ISM-1547 | Annex A 8.13 requires backup copies of information, software and systems to be maintained and regularly tested in accordance with an agre... | |
| ISM-1548 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| handshake Supports (2) expand_less | ||
| ISM-1574 | ISM-1574 requires supplier contracts to document portable storage arrangements that enable backups and restoration/migration without losi... | |
| ISM-1705 | Annex A 8.13 requires backups to be maintained and regularly tested so they can be relied upon for recovery | |
| link Related (1) expand_less | ||
| ISM-0042 | ISM-0042 requires organisations to develop, implement and maintain system administration procedures for effective ongoing system operations | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this control?
Mindset Cyber runs PECB-accredited ISO/IEC 27001 training that maps directly to the controls in this library.