ISO 27001:2022 Annex A Control 8.13

Abstract of Annex A Control 8.13: Information backup

Control 8.13 of ISO 27001 focuses on establishing, maintaining, and regularly testing backup copies of information, software, and systems. Effective backups ensure that essential data can be recovered in the event of incidents such as hardware failures, cyber-attacks, or other disruptions.

Iso 27001 Annex A Control 8.13 Information Backup

Control Type

  • Corrective

Information Security Properties

  • Integrity
  • Availability

Cybersecurity Concepts

  • Recover

Operational Capabilities

  • Continuity

Security Domains

  • Protection

Objective of Control 8.13

The main objective of this control is: guarantee the required level of availability for vital information processing facilities. Through properly designing redundant systems, your organization significantly reduces the risk of a single point of failure and ensures resilience against hardware malfunctions, software glitches, and environmental disruptions. In essence, you aim to keep operations running smoothly even when unexpected issues arise.

Purpose of Control 8.13

The purpose of Control 8.14 is to:

  1. Maintain Continuity: Ensure critical services remain accessible, meeting predefined service-level agreements (SLAs) or internal objectives.
  2. Strengthen Cybersecurity: Mitigate threats that exploit downtime to compromise data or infrastructure.
  3. Prevent Data Loss: Protect data integrity during failover events by having equivalent security measures for all redundant systems.
  4. Enhance Operational Confidence: Instill trust in your clients, partners, and employees that your organization can withstand failures and disasters.

Topic-Specific Backup Policy

A backup policy is your roadmap for consistent, reliable, and secure backups. Having a clearly documented and topic-specific backup policy ensures that everyone in your organization understands the process, goals, and importance of data backups. This policy should define:

  1. Scope and Coverage: Which data types, applications, and systems require backups.
  2. Roles and Responsibilities: Who oversees backup tasks, tests restorations, and approves changes to the backup policy.
  3. Compliance Requirements: How your organization meets internal, legal, and regulatory guidelines through backup strategies.

Designing Your Backup Plan

Designing a robust backup plan involves more than just scheduling a daily backup job. It’s about aligning technology, business requirements, and security needs. Here’s what to consider:

Backup Records & Restoration Procedures

  • Maintain accurate records of backup copies, including schedules and retention periods.
  • Document clear restoration procedures so your team knows exactly what to do when data recovery is required.

Business Requirements & Frequency

  • Align backup frequency with your Recovery Point Objective (RPO) and Recovery Time Objective (RTO)—essential targets set by your business continuity plan.
  • Decide on full, differential, or incremental backups, based on data volume, criticality, and organizational needs.

Secure Offsite Storage

  • Store backup media in a secure, remote location to mitigate the risk of simultaneous loss (e.g., a natural disaster at your main site).
  • Ensure the same level of physical and environmental security at this location as in your primary data center.

Testing and Verification

  • Regularly test your backups by performing restores in a controlled environment.
  • Ensure test procedures do not overwrite production data, and confirm all data can be successfully recovered.

Encryption and Data Protection

  • Encrypt sensitive or critical backups to protect them from unauthorized access.
  • Manage encryption keys securely and according to your key management policy.

Retention and Deletion

  • Implement a retention schedule that meets both business needs and regulatory requirements.
  • Securely delete data from backup media once the retention period expires, avoiding unnecessary storage costs and privacy risks.

Operational Considerations

Monitoring and Logging
Monitor backup jobs for failure or error reports and investigate any irregularities promptly. Thorough logging supports future audits, compliance checks, and incident investigations.

Cloud Backup Strategy
If you rely on cloud environments, verify how backup responsibilities are shared between your organization and the cloud service provider. Cloud-based solutions often offer powerful redundancy options, but it’s crucial to align these solutions with your internal backup policy.

Emergency and Continuity Testing
Incorporate backup and restore tests into your broader incident response and business continuity exercises. These proactive tests will reveal any gaps in your processes before a real disaster occurs.

Other Relevant ISO 27001 Controls

Information Backup (Control 8.13) synergizes with multiple other controls, enhancing your organization’s overall security posture:

  • Control 5.30 (ICT Readiness for Business Continuity): Ensures backup and restore objectives meet business requirements for recovery time and recovery points.
  • Control 8.1 (User endpoint Devices): Emphasizes user endpoint Devices protection.
  • Control 8.10 (Information Deletion): Guides secure deletion of data at the end of its lifecycle, including backup media.
  • All the Theme 7. Physical Controls:
    • Control 7.1
    • Control 7.2
    • Control 7.3
    • Control 7.4
    • Control 7.5
    • Control 7.6
    • Control 7.7
    • Control 7.8
    • Control 7.9
    • Control 7.10
    • Control 7.11
    • Control 7.12
    • Control 7.13
    • Control 7.14

Supporting Templates on Our Website

Improve your implementation of Control 8.13 with templates designed to save you time and ensure best practices:

  1. Backup Policy Template
    Easily define objectives, scope, responsibilities, and procedures to align your organization’s backup practices with ISO 27001 requirements.

  2. Backup Testing Procedure Checklist
    A step-by-step guide that ensures your backup restoration tests are thorough, minimizing the risk of surprises during real incidents.

  3. Backup and Retention Schedule Template
    Provides a clear structure for scheduling backups and tracking retention periods, helping you optimize storage usage.

  4. Cloud Provider Assessment Questionnaire
    Helps evaluate cloud backup offerings, ensuring they meet your internal policies and compliance obligations.

Control 8.12
ISO 27001 overview
Control 8.14