Information Backup - ISO 27001 Annex A Control

ISO 27001 Annex A 8.13

Backups are the difference between an incident and a disaster.

ISO 27001 Annex A 8.13 - Information Backup

Backups are the foundation of recovery. When data is lost, corrupted or encrypted by ransomware, the backup is the only way back to a known-good state. The control asks for backups to be maintained and tested - the testing matters because untested backups have a habit of failing exactly when they are needed most.

Modern backup design typically follows variants of the 3-2-1 approach: at least three copies of important data, on at least two different media types, with at least one copy offsite. The newer 3-2-1-1-0 variant adds an immutable copy and zero errors during recovery testing. The principle is the same: redundancy that survives the failure modes most likely to affect the primary copy.

Backup security has become a particular focus because of ransomware. Attackers target backups specifically, knowing that a victim with intact backups can refuse to pay. Immutable storage, separated authentication for backup systems, and offline copies all reduce the risk of backups being compromised at the same time as production.

Untested backups are the most common high-impact gap I see in audit. Organisations with backup systems running and apparently completing successfully, but who have never recovered a real workload from them. The first time anyone tries, problems surface - slow recovery, missing dependencies, files that did not actually back up. Periodic recovery testing turns the backup from theoretical protection into proven capability.

Recovery time and recovery point objectives matter as much as the backup frequency. Backing up nightly does not help if the operation cannot run for 24 hours. The retention period also matters - some incidents are not detected for weeks, and the backup needs to predate the compromise to be useful for recovery.

Practical Compliance Guidance

Backup arrangements are described in the IMS1 manual at section 8.3 on IT equipment alongside the wider business continuity arrangements. Backup logs and recovery test records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-IMS21 Business Continuity Register	The business continuity register listing scenarios and arrangements. Use to record backup scope, retention, recovery objectives and test results for each system.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How often should backups run?

Frequency depends on the recovery point objective - how much data the organisation can afford to lose. Critical transactional systems may need continuous replication or hourly snapshots. Less time-sensitive systems may be fine with daily backups. The schedule should be set in the policy and aligned with the business impact analysis.

What about cloud platforms?

Cloud platforms typically include backup features but the responsibility model varies. Some services back themselves up by default; some require explicit configuration. The shared responsibility model needs to be understood for each service so the organisation knows what it is backing up versus what the provider handles.

How often should recovery be tested?

Periodic recovery testing - at least annually for most systems, more often for critical ones - confirms that the backups work. The test should restore real data to a working environment and verify operational integrity, not just that the files appear. The test outcomes feed into the business continuity register.

Further Resources