ISO 27001 Control 8.13: Information Backup
Control 8.13 requires organizations to maintain and regularly test backup copies of information, software, and systems to ensure data recoverability. Without a robust backup strategy, your organization risks permanent data loss and regulatory non-compliance. This control is fundamental to business continuity and disaster recovery readiness.
What this means
Information Backup (8.13) mandates that your organization establish a backup policy covering all critical information assets, software, and systems. The policy must define backup frequency, retention periods, storage locations, and recovery procedures. Regular testing—not just backup execution—is essential to verify that backups are functional and data can actually be restored when needed. This control addresses the confidentiality, integrity, and availability triad by protecting against data loss scenarios.
How to comply
- 1.Develop a documented backup policy specifying what gets backed up, how often, and for how long
- 2.Identify all critical information, software, and systems that require backup coverage
- 3.Implement automated backup solutions with encryption for data in transit and at rest
- 4.Establish backup storage locations that are geographically separated from primary systems
- 5.Schedule and perform regular restore tests to validate backup integrity and recovery time objectives (RTO)
- 6.Document all backup activities, test results, and any recovery incidents
- 7.Review and update the backup policy annually or when systems and business requirements change
- 8.Assign clear ownership and responsibilities for backup management and testing
Evidence auditors look for
- Backup policy document with defined frequency, retention, and recovery requirements
- Backup schedule showing daily, weekly, or monthly backup cycles for all critical assets
- Backup execution logs with timestamps, file counts, and completion status
- Restore test documentation including date, systems tested, recovery time, and success confirmation
- Backup storage inventory showing locations, media types, and encryption status
- Recovery procedure documentation with step-by-step restoration instructions
- Incident logs documenting any data loss events or failed backup scenarios
- Maintenance records for backup infrastructure and software updates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates backup policy tracking, backup execution monitoring, and restore test documentation—eliminating manual log reviews and ensuring audit-ready evidence for 8.13 compliance.
See how GRCWatch handles this control automatically
Start free trial