A.8.13 ISO 27001

ISO 27001 A.8.13: Information backup

What This Control Requires

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

In Plain Language

Backups are your last line of defence. When ransomware encrypts your production databases, when a developer drops the wrong table, when a disk array fails catastrophically - backups are the difference between a bad day and a business-ending disaster.

But backups only matter if they actually work. An untested backup is just a hope, and auditors know the difference. You need comprehensive coverage of all critical data and systems, automated execution for consistency, protection against the very threats you are backing up against (especially ransomware), and regular restoration tests that prove recovery works.

Your backup strategy should be driven by your recovery point objectives (RPOs) and recovery time objectives (RTOs) from your business impact analysis. A system that cannot tolerate more than an hour of data loss needs a very different backup approach than one where a day is acceptable.

How to Implement

Write a backup policy that defines what gets backed up, how often, where backups are stored, how long they are retained, and how they are tested. Tie everything back to your RTOs and RPOs.

Follow the 3-2-1 rule as your baseline: at least 3 copies of data, on 2 different types of media, with 1 copy off-site or in the cloud. For ransomware protection, extend to 3-2-1-1: add 1 immutable or air-gapped copy that an attacker who has compromised your network simply cannot touch.

Set backup schedules based on RPO requirements. Critical databases may need continuous replication or frequent transaction log backups. File servers can typically get by with daily incrementals and weekly full backups. System configurations should be backed up after every change. Email and collaboration platforms need at least daily backups.

Protect the backups themselves. Encrypt at rest and in transit. Keep backup credentials completely separate from production credentials. Use immutable storage (write-once-read-many) for critical backups. Implement backup-specific access controls that are independent of production access. Monitor backup systems for unauthorised access or modifications.

Test restoration regularly - this is where most organisations fall down. Restore individual files and databases monthly. Recover critical systems quarterly. Run a full disaster recovery exercise annually. Document every test: what was restored, how long it took, and what went wrong. Fix failures immediately.

Monitor backup health continuously. Alert on failed jobs and investigate promptly. Track completion rates and storage utilisation. Plan for growth before you run out of backup space. Report metrics to management and include backup testing in change management for any infrastructure changes.

Evidence Your Auditor Will Request

Documented backup policy with schedules, retention, and testing requirements
Backup job completion reports showing successful execution
Backup restoration test records with documented results
Off-site or immutable backup storage configuration
Backup monitoring and alerting configuration

Common Mistakes

Backups have never been tested for successful restoration
Backup failures are not detected or addressed in a timely manner
Backups are not protected from ransomware and could be encrypted or deleted by an attacker
No off-site backup copy exists for disaster recovery scenarios
Backup retention periods do not align with business and regulatory requirements

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	A1.2	Equivalent
GDPR	Art.32(1)(c)	Related
NIS2	Art.21(2)(c)	Related

Frequently Asked Questions

How do we protect backups from ransomware?

Immutable storage is the single most important measure - it prevents anyone from modifying or deleting backups for a set period, even with admin credentials. Air-gapped backups that are physically disconnected from the network add another layer. Keep backup credentials completely separate from production and never store them on production servers. Monitor backup systems for unauthorised access. Test restoration from your immutable copies regularly to confirm they actually work. Many cloud backup services now offer built-in immutability, which makes this much easier to implement.

How often should we test backup restoration?

Monthly for individual files and database restores. Quarterly for critical system recovery. Annually for a full disaster recovery exercise. Also test after any changes to backup infrastructure or procedures. Vary what you test each time to cover different failure scenarios. Track how long restoration takes and compare against your RTOs - if recovery takes longer than the business can tolerate, your backup strategy needs adjusting.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment