Implementing ISO 27001 Annex A 8.13 is a critical resilience control that mandates the regular creation and testing of information backups to ensure data recoverability. By defining Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO), organizations protect against data loss, ransomware, and system failures, ensuring business continuity through proven restoration capabilities.

ISO 27001 Annex A Information Backup Implementation Checklist

Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.13. Compliance requires a proven, tested capacity to restore operations after a catastrophic failure, not just a screenshot of a “Job Successful” notification in a backup console.

1. Define RPO and RTO per Asset

Control Requirement: Backup policies must be defined based on business requirements.

Required Implementation Step: Consult asset owners to define the Recovery Point Objective (RPO – how much data can we lose?) and Recovery Time Objective (RTO – how long can we be down?) for every critical system. Hardcode these metrics into your backup software schedules (e.g., SQL logs every 15 minutes for low RPO).

Minimum Requirement: Differentiate between “Critical” (hourly backups) and “Archive” (weekly backups); a blanket policy is inefficient.

2. Implement the 3-2-1 Backup Strategy

Control Requirement: Ensure redundancy of data copies.

Required Implementation Step: Re-architect your backup storage to maintain three copies of data, on two different media types (e.g., Disk and Tape/Cloud), with one copy stored strictly offsite. Ensure the offsite copy is geographically separated to survive a physical site disaster.

Minimum Requirement: Storing backups on a partition of the same production server is a failure.

3. Enable Immutable (WORM) Storage

Control Requirement: Protect backup information against malware and ransomware.

Required Implementation Step: Configure “Object Lock” or Write-Once-Read-Many (WORM) settings on your backup repository (e.g., AWS S3 Object Lock or hardened Linux repositories). This prevents ransomware—and rogue administrators—from encrypting or deleting the backup chain.

Minimum Requirement: Backups must be read-only for a defined retention period.

4. Encrypt Backups at Rest and in Transit

Control Requirement: Ensure confidentiality of backed-up information.

Required Implementation Step: Enable AES-256 encryption on the backup jobs themselves. Manage the encryption keys separately from the backup server; if you lose the keys during a disaster, your backups are cryptographically useless.

Minimum Requirement: Never send unencrypted backup streams over the internet to a cloud provider.

5. Backup SaaS and Cloud Applications

Control Requirement: Protect information stored in cloud services.

Required Implementation Step: Deploy a third-party backup solution for Microsoft 365, Google Workspace, and Salesforce. Microsoft’s “Retention Policy” is not a backup; it does not protect against malicious deletion or corruption by an internal bad actor.

Minimum Requirement: The “Shared Responsibility Model” means the data is your problem, not the cloud provider’s.

6. Verify Backup Integrity Automatically

Control Requirement: Ensure backup copies are readable and recoverable.

Required Implementation Step: Configure your backup software (e.g., Veeam, Datto) to perform automated “SureBackup” or verification jobs. This spins up the VM in a sandbox and verifies the OS boots and applications respond, rather than just checking the file checksum.

Minimum Requirement: A “Green Tick” on the dashboard is insufficient; you need proof of bootability.

7. Schedule and Document Full Restoration Tests

Control Requirement: Regularly test the restoration procedures.

Required Implementation Step: Perform a manual full-system restore (bare metal recovery) of a critical server at least quarterly. Document the actual time taken and compare it against the RTO defined in Step 1. Save the logs as audit evidence.

Minimum Requirement: Restoring a single file is not a Disaster Recovery test.

8. Secure the Backup Management Plane

Control Requirement: Protect the backup infrastructure from unauthorised access.

Required Implementation Step: Isolate the backup server from the main domain. Use a separate workgroup, unique credentials, and Multi-Factor Authentication (MFA) for console access. If an attacker compromises Active Directory, they must not be able to pivot to the backup server.

Minimum Requirement: The backup admin account must not be the same as the domain admin account.

9. Monitor Job Failures and Storage Capacity

Control Requirement: Detect failures in backup execution.

Required Implementation Step: Configure alerts to ticket your service desk immediately upon job failure or “success with warnings”. Monitor storage repository capacity trends to predict when you will run out of space, preventing failed jobs due to “Disk Full” errors.

Minimum Requirement: Silence is not success; ensure “heartbeat” monitoring confirms the reporting system is working.

10. Backup Configuration and Metadata

Control Requirement: Ensure the ability to restore the environment, not just the files.

Required Implementation Step: Backup the configuration files of network switches, firewalls, and the backup server itself. Without these configurations, you may have the data but no infrastructure to run it on.

Minimum Requirement: Export firewall rules and switch configs to a secure text file regularly.

ISO 27001 Annex A 8.13 SaaS / GRC Platform Implementation Failure Checklist

The disconnect between GRC dashboard compliance and technical backup reality.
Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Regular Testing	GRC tool asks: “Do you test backups?” (Yes/No).	You clicked “Yes” because you restored a Word doc last year. Meanwhile, your SQL server backup is corrupt and won’t boot.
SaaS Protection	“We use the Cloud, they back it up.”	Microsoft ensures the service is available, not your data. If an employee deletes a SharePoint site and purges the bin, it is gone forever.
Immutability	“We have a backup policy.”	Ransomware hit the network, found the backup server on the domain, and encrypted the backup files because they weren’t immutable.
Encryption	“Backups are stored in a secure room.”	The tapes were lost in transit to the storage facility. Since they were unencrypted, all customer data is now breached.
Restoration Time (RTO)	“We back up every night.”	Backing up is easy; restoring is hard. It took 4 days to download the data from the cloud, missing the 4-hour RTO.
Alerting	Reviewing logs monthly.	The backup job has been failing for 29 days. You only found out when you needed to restore a file today.
Account Separation	Using Domain Admin for everything.	The hacker compromised the Domain Admin account and used it to format the backup repository before deploying the ransomware.

DO IT YOURSELF ISO 27001

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.