In this ultimate how to audit guide to ISO 27001 Annex A 8.13 Information Backup, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 8.13 Information Backup Audit Checklist
- 1. Backup Policy and Schedule Formalisation Verified
- 2. Backup Scope Completeness Validated
- 3. Restoration Testing Integrity Confirmed
- 4. Backup Encryption at Rest Verified
- 5. Off-site or Geographically Diverse Storage Confirmed
- 6. Backup Access Control and Privilege Segregation Validated
- 7. Offline/Immutable Storage (Ransomware Protection) Verified
- 8. Backup Retention Period Alignment Confirmed
- 9. Logging and Alerting of Backup Failures Validated
- 10. Restoration Time Objective (RTO) Compliance Verified
ISO 27001 Annex A 8.13 Information Backup Audit Checklist
Auditing ISO 27001 Annex A 8.13 Information Backup is the technical verification of data redundancy and restoration integrity protocols. The Primary Implementation Requirement is maintaining encrypted, immutable copies in geographically diverse locations, providing the Business Benefit of guaranteed service continuity and rapid recovery from ransomware or site-wide disasters.
This technical verification tool provides a binary framework for assessing the resilience and recoverability of organisational data. Use this checklist to validate compliance with ISO 27001 Annex A 8.13.
1. Backup Policy and Schedule Formalisation Verified
Verification Criteria: A documented policy exists defining backup frequencies, retention periods, and specific responsibilities for all identified information assets.
Required Evidence: Approved Information Backup Policy and an active, system-generated backup schedule.
Pass/Fail Test: If a defined backup schedule for critical systems (as identified in the Asset Register) is missing or undocumented, mark as Non-Compliant.
2. Backup Scope Completeness Validated
Verification Criteria: The backup configuration includes all critical data, operating systems, and configurations necessary to restore services to an operational state.
Required Evidence: Backup job configuration files or inventory lists cross-referenced against the Master Asset Register.
Pass/Fail Test: If the backup scope excludes critical databases or system configuration files identified in the risk assessment, mark as Non-Compliant.
3. Restoration Testing Integrity Confirmed
Verification Criteria: Periodic restoration tests are conducted to verify that data can be successfully recovered and that the bit-integrity of the data remains intact.
Required Evidence: Restoration test logs, data verification reports, or “Proof of Concept” restore records from the last six months.
Pass/Fail Test: If the organisation cannot provide documented evidence of a successful restoration test within the current audit cycle, mark as Non-Compliant.
