Auditing ISO 27001 Annex A 8.13 Information Backup is the technical verification of data redundancy and restoration integrity protocols. The Primary Implementation Requirement is maintaining encrypted, immutable copies in geographically diverse locations, providing the Business Benefit of guaranteed service continuity and rapid recovery from ransomware or site-wide disasters.
ISO 27001 Annex A 8.13 Information Backup Audit Checklist
This technical verification tool provides a binary framework for assessing the resilience and recoverability of organisational data. Use this checklist to validate compliance with ISO 27001 Annex A 8.13.
1. Backup Policy and Schedule Formalisation Verified
Verification Criteria: A documented policy exists defining backup frequencies, retention periods, and specific responsibilities for all identified information assets.
Required Evidence: Approved Information Backup Policy and an active, system-generated backup schedule.
Pass/Fail Test: If a defined backup schedule for critical systems (as identified in the Asset Register) is missing or undocumented, mark as Non-Compliant.
2. Backup Scope Completeness Validated
Verification Criteria: The backup configuration includes all critical data, operating systems, and configurations necessary to restore services to an operational state.
Required Evidence: Backup job configuration files or inventory lists cross-referenced against the Master Asset Register.
Pass/Fail Test: If the backup scope excludes critical databases or system configuration files identified in the risk assessment, mark as Non-Compliant.
3. Restoration Testing Integrity Confirmed
Verification Criteria: Periodic restoration tests are conducted to verify that data can be successfully recovered and that the bit-integrity of the data remains intact.
Required Evidence: Restoration test logs, data verification reports, or “Proof of Concept” restore records from the last six months.
Pass/Fail Test: If the organisation cannot provide documented evidence of a successful restoration test within the current audit cycle, mark as Non-Compliant.
4. Backup Encryption at Rest Verified
Verification Criteria: All backup data stored on physical media or cloud repositories is protected by strong cryptographic controls to prevent unauthorised access.
Required Evidence: Backup software configuration screenshots showing AES-256 (or equivalent) encryption enabled for all storage volumes.
Pass/Fail Test: If backup repositories contain plain-text data or use obsolete encryption algorithms, mark as Non-Compliant.
5. Off-site or Geographically Diverse Storage Confirmed
Verification Criteria: Copies of backups are stored in a secondary location geographically distant from the primary site to mitigate the risk of site-wide disasters.
Required Evidence: Cloud provider region reports or physical media transfer logs to a secure off-site facility.
Pass/Fail Test: If backups are stored exclusively in the same physical rack or availability zone as the primary production data, mark as Non-Compliant.
6. Backup Access Control and Privilege Segregation Validated
Verification Criteria: Access to backup systems and the ability to delete or modify existing backup sets is restricted to authorised personnel only.
Required Evidence: Identity and Access Management (IAM) reports showing restricted access to backup portals; evidence of multi-factor authentication (MFA).
Pass/Fail Test: If standard system administrators have full delete permissions on backup sets without a second-party approval or MFA, mark as Non-Compliant.
7. Offline/Immutable Storage (Ransomware Protection) Verified
Verification Criteria: At least one copy of critical backup data is stored in an offline or immutable state, protected from alteration or deletion by ransomware.
Required Evidence: Cloud Object Lock configuration reports, air-gapped tape logs, or write-once-read-many (WORM) storage settings.
Pass/Fail Test: If all backup copies are logically connected to the production network with no immutable protection, mark as Non-Compliant.
8. Backup Retention Period Alignment Confirmed
Verification Criteria: Backup data is retained for the durations specified in the organisational data retention schedule and relevant legal/regulatory requirements.
Required Evidence: Backup system retention policy settings showing “Time to Live” (TTL) configurations for daily, weekly, and monthly sets.
Pass/Fail Test: If backups are purged before the mandatory regulatory retention period expires, mark as Non-Compliant.
9. Logging and Alerting of Backup Failures Validated
Verification Criteria: The backup system generates logs for all backup activities and triggers automated alerts to IT personnel in the event of job failures.
Required Evidence: Backup failure notification emails or ticket logs from the monitoring system generated during the last backup error.
Pass/Fail Test: If backup jobs fail silently without generating a critical alert to the operations team, mark as Non-Compliant.
10. Restoration Time Objective (RTO) Compliance Verified
Verification Criteria: Restoration procedures are capable of meeting the organisation’s defined Restoration Time Objectives (RTO) as stated in the Business Continuity Plan.
Required Evidence: Disaster Recovery test results comparing the actual time taken to restore data against the target RTO.
Pass/Fail Test: If actual restoration times documented in tests significantly exceed the business-mandated RTO, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Backup Policy | Uploading a static PDF policy to a GRC portal. | Verifying that the automated schedule in the backup tool mirrors the policy exactly. |
| Restoration Testing | Reporting “Success” based on a green checkbox in a dashboard. | Demanding a bit-level comparison of a restored file against its source to prove integrity. |
| Ransomware Protection | Backing up to a secondary cloud drive on the same network. | Evidence of an immutable “Object Lock” that even a Global Admin cannot delete for X days. |
| Backup Encryption | Trusting the Cloud Provider’s “Encryption by Default”. | Validating Customer Managed Keys (CMK) and proving the provider cannot access the data. |
| Monitoring & Alerting | Reviewing logs only during the annual audit. | Reviewing the “Failed Backup” ticketing history to prove responders acted on alerts. |
| Retention Periods | Assuming all data is kept “forever” in the cloud. | Verifying that automated deletion policies are purging data correctly to avoid legal liability. |
| Access Controls | Granting all IT staff access to the backup portal. | Enforcing “Just-in-Time” (JIT) access or “Four-Eyes” approval for destructive backup actions. |
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
About the author
