ISO 27001:2022 Annex A 8.13 Information backup

In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.13 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.13 requires organizations to maintain backup copies of information, software, and systems and to test them regularly. Its primary purpose is to ensure you can recover from data loss, system failure, or a ransomware attack. Backups are your ultimate “Safety Net,” but the standard emphasizes that a backup you haven’t tested is not a backup at all.

Core requirements for compliance include:

The 3-2-1 Rule: While not explicitly named in the standard, auditors look for this best practice: 3 copies of data, on 2 different types of media, with 1 copy stored offsite (or in a separate cloud region).
Back up the “System,” not just the “Files”: You must be able to restore the entire operating environment, including software configurations and system settings, not just individual Excel spreadsheets.
Testing & Validation: You must regularly perform “Restoration Tests.” You need proof that you have successfully restored data from a backup to a test environment within the last 6–12 months.
Encryption: Backup media (especially tapes or portable drives) must be encrypted. If a backup disk is stolen, the data should be useless to the thief.
Offsite Storage: Backups must be physically or logically separated from the main production site to protect against local disasters (fire, flood, or site-wide ransomware).

Audit Focus: Auditors will look for the “Proof of Recovery”:

The Schedule: “Show me your backup policy. Does it specify how often you back up critical vs. non-critical data?”
The RTO/RPO: “What is your target for data loss (RPO)? Prove that your backup frequency supports that target.”
The Evidence: “Show me the logs from your last successful restoration test. What did you learn from it?”

Backup Objectives (RPO vs. RTO):

Metric	Definition	Plain English Example
RPO (Recovery Point Objective)	How much data can you afford to lose?	“If we back up every 4 hours, we can lose up to 4 hours of work.”
RTO (Recovery Time Objective)	How long can you be offline?	“We must be back up and running within 2 hours of a failure.”

Key Takeaways: ISO 27001 Annex A 8.13 Information Backup
What is ISO 27001 Annex A 8.13?
ISO 27001 Annex A 8.13 Free Training Video
ISO 27001 Annex A 8.13 Explainer Video
ISO 27001 Annex A 8.13 Podcast
ISO 27001 Annex A 8.13 Implementation Guidance
How to implement ISO 27001 Annex A 8.13
RPO vs. RTO
How to comply
How to pass an ISO 27001 Annex A 8.13 audit
What will an auditor check?
Top 3 ISO 27001 Annex A 8.13 mistakes and how to avoid them
Applicability of ISO 27001 Annex A 8.13 across different business models.
Fast Track ISO 27001 Annex A 8.13 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 8.13 FAQ
Related ISO 27001 Controls

What is ISO 27001 Annex A 8.13?

ISO 27001 Annex A 8.13 is about information backup which means you need to decide what to backup, when and then test that the backup has worked.

ISO 27001 Annex A 8.13 Information Backup is an ISO 27001 control that requires an organisation to create and test backups of data, software and systems.

Information backup is important because things can go wrong. From accidental loss of information to the more aggressive and damaging ransomware attacks, there are many reasons that you might want to restore information from a point in time. Having an effective information backup process that is tested and proven to work will save your bacon one day.

ISO 27001 Annex A 8.13 Purpose

ISO 27001 Annex A 8.13 is corrective control that is to enable recovery from loss of data or systems.

ISO 27001 Annex A 8.13 Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.13 as:

Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. – ISO 27001:2022 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.13 Free Training Video

In the video ISO 27001 Information Backup Explained – ISO27001:2022 Annex A 8.13 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 8.13 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 8.13 Information Backup, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 8.13 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001:2022 Annex A 8.13 Information Backup. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 8.13 Implementation Guidance

You are going to have to ensure that you:

Implement a topic specific policy for information backup
Identify the information that you want to protect
Classify the information that you want to protect
Implement controls to protect the information based on risk, classification and business need
keep records
Test the controls that you have to make sure they are working

There are several approaches to information backup and the most common is to implement a backup tool.

ISO 27001 Backup Policy Template

The ISO 27001 Back Up Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

Backup Policy

The backup policy is a specific document that is covered in detail in the Beginner’s Guide to the ISO 27001 Backup Policy.

In summary it sets out the organisations approach to backups and ensures that adequate processes and procedures are in place as well as regular testing of the backup so that we can be sure that when the time comes and if we need it, we can recover it.

Identify Backup Requirements

The best way to identify the backup requirements is to conduct a business impact assessment (BIA). The BIA will identify and prioritise your critical systems and data and will provide you with time scales for how quickly they should be recovered. This in turn will inform your approach to backups and the scheduling of backups.

Implement Backup Technology

There are many types of backup technology and you should implement the one that is appropriate to you. The standard is hung up on old fashioned tapes and storing them in remote locations but any technology solution can work, especially with the prevalence of cloud based storage. The things to consider here are both the encryption of the backup and the legal and regulatory requirements placed on data.

Encrypt backups

Backups should always be encrypted and is often built into any off the shelf backup solution.

Backups and the law

This is an area where you are going to need some legal advice. The main issues here come around data protection and in particular the GDPR and relate directly to the right to be forgotten and information deletion. Backups are one area that can get you in hot water if you are unable to meet the demands and requirements of the laws and regulations.

Set Backup Retention Schedules

The backup retention schedules are driven by the needs of the business and the laws and regulations that apply to it. Using the business impact assessment (BIA) is a good starting point for working out the schedule as is reverting to client contracts and client requirements.

Test Backups

The backups that you make should be tested. It is pointless to back things up securely and when the time comes to recover the data find out that you cannot, in fact, recover the data. Have a process of regular backup testing that gives you the confidence that you can recover from backup should the need arise.

How to implement ISO 27001 Annex A 8.13

Implementing a robust information backup framework is vital for ensuring data resilience and enabling rapid recovery following a security incident or system failure. By following these technical steps, your organisation can align with ISO 27001 Annex A 8.13 requirements to protect the availability and integrity of critical information assets.

1. Formalise a Backup Policy and Retention Schedule

Identify and categorise all critical data sets, specifying the required frequency of backups based on business impact and data volatility.
Define clear retention periods that comply with legal obligations, such as the UK GDPR, and document the “Rules of Engagement” (ROE) for data restoration.
Result: A documented governance baseline that ensures consistent protection across all physical and cloud-based environments.

2. Provision Immutable and Off-site Storage Solutions

Deploy the “3-2-1” backup strategy by maintaining three copies of data on two different media types, with at least one copy stored off-site or in an isolated cloud region.
Utilise “Immutable Storage” or Object Lock features to prevent backup files from being modified or deleted by ransomware and malicious insiders.
Result: Increased resilience against catastrophic events and targeted data destruction attacks.

3. Restrict Backup Access via Granular IAM and MFA

Enforce the Principle of Least Privilege by assigning specific Identity and Access Management (IAM) roles to backup administrators, separating them from standard system admins.
Mandate Multi-Factor Authentication (MFA) for all access to backup consoles and storage APIs to mitigate the risk of account takeover.
Result: A hardened backup infrastructure where unauthorised users are blocked from compromising the last line of defence.

4. Execute End-to-End Cryptographic Protection

Provision AES-256 bit encryption for all backup data at rest and ensure that TLS 1.3 is utilised for all data in transit to storage repositories.
Establish a secure key management process to ensure that decryption keys are stored separately from the backup data they protect.
Result: Assurance that backup media remains unreadable and secure even if physically or logically intercepted.

5. Automate Continuous Monitoring and Success Verification

Configure automated alerts and reporting to notify the technical team of any backup failures or partial completions in real time.
Integrate backup telemetry with a centralised SIEM platform to detect anomalies, such as unexpected spikes in data volume which may indicate ransomware activity.
Result: Immediate visibility into backup health, allowing for the rapid remediation of gaps in data protection coverage.

6. Perform Periodic Restoration Testing and Audits

Conduct scheduled restoration tests for every critical data set to verify that backups are functional and meet defined Recovery Time Objectives (RTO).
Revoke access for any outdated backup accounts discovered during quarterly technical audits to maintain environment hygiene.
Result: Verifiable proof for ISO 27001 auditors that the recovery process is effective and the organisation is prepared for a real-world disaster.

RPO vs. RTO

RPO (Recovery Point Objective): “How much data can we afford to lose?” (e.g., 4 hours). Dictates backup frequency.
RTO (Recovery Time Objective): “How long can we be offline?” (e.g., 2 hours). Dictates recovery speed.

How to comply

To comply with ISO 27001 Annex A 8.13 you are going to implement the ‘how’ to the ‘what’ the control is expecting.
In short measure you are going to:

Understand and record the legal, regulatory and contractual requirements you have for data
Conduct a risk assessment
Based on the legal, regulatory, contractual requirements and the risk assessment you will implement an
information backup scheme
Implement and communicate your topic specific policy on backup
Document and implement your processes and technical implementations for data backup
Check that the controls are working by conducting internal audits

How to pass an ISO 27001 Annex A 8.13 audit

To pass an audit of ISO 27001 Annex A 8.13 Information backup you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an auditor check?

The audit is going to check a number of areas. Lets go through the main ones

1. That you have documentation

What this means is that you need to show that you have documented your legal, regulatory and contractual requirements for information backup. Where data protection laws exist that you have documented what those laws are and what those requirements are. That you have an information classification scheme and a topic specific policy for access control and that you have documented your information backup techniques.

2. That you have have implemented information backup appropriately

They will look at systems to seek evidence of information backup, testing and recovery. They want to see evidence of tests, the results of tests and any continual improvement you conducted as a result of those tests.

3. That you have conducted internal audits

The audit will want to see that you have tested the controls and evidenced that they are operating. This is usually in the form of the required internal audits. They will check the records and outputs of those internal audits.

Top 3 ISO 27001 Annex A 8.13 mistakes and how to avoid them

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 8.13 Information Backup are

1. You have not tested the backup

This is a common mistake we see. That you have not tested that you can recover from backups. Sometimes you did a recovery test but it was a long time ago, or it was a partial recovery and therefore you have no actual evidence that your backups can be recovered to a point the organisation is operational again within the time frames and to the point in time that was agreed.

2. You don’t know your legal obligations

This is a massive mistake that we see, where people assume ISO 27001 is just information security and forget that it also checks that appropriate laws are being followed, and in particular data protection laws. Cost saving by not having a data protection expert or ignoring data protection law entirely is a common mistake we see people make when cutting corners and saving costs. Backups where information, in particular personal information, cannot be deleted selectively can get you in a lot of hot water.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 8.13 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Focuses on protecting productivity data and ensuring business continuity with minimal complexity. The goal is to survive accidental deletions or local hardware failures using standard cloud features.	Enabling “Version History” and “Recycle Bin” protection in Microsoft 365 or Google Workspace. Using an automated endpoint backup tool (e.g., Backblaze) for all staff laptops to protect local files. Performing a semi-annual “Restoration Drill” where a random folder is recovered to a test machine to prove the process works.
Tech Startups	Essential for protecting customer data and proprietary source code. Compliance involves automating the “3-2-1” strategy within cloud environments to ensure rapid recovery from ransomware or region-wide outages.	Configuring `AWS Backup` or `Azure Backup` to replicate database snapshots across two different geographic regions. Implementing “Immutable Backups” (Object Lock) to prevent ransomware from encrypting or deleting the backup files. Automating restoration tests in a staging environment using CI/CD pipelines to verify data integrity weekly.
AI Companies	Critical for protecting massive training datasets and high-value model weights. Backups focus on high-volume data integrity and the ability to restore complex high-performance computing (HPC) environments.	Utilizing multi-region object storage (e.g., S3 Cross-Region Replication) for petabyte-scale training data. Backing up the entire “System State” of GPU clusters, including drivers and environment configurations, to ensure rapid rebuilds. Enforcing AES-256 encryption for all backup data at rest, with keys managed in a separate Hardware Security Module (HSM).

Fast Track ISO 27001 Annex A 8.13 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 8.13 (Information backup), the requirement is to maintain backup copies of information, software, and systems, and to test them regularly. While SaaS compliance platforms often try to sell you “automated backup monitoring” or complex integration modules, the auditor is primarily looking for your governance framework: your backup policy, retention schedules, and evidence of successful restoration tests.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Real-World Audit Evidence
Strategy Ownership	Rents you a proprietary interface for your data. Backup policies are lost if the subscription is canceled.	Permanent Assets: You receive the “Information Backup Policy” and “Restoration Logs” to keep forever.	An internal Backup Policy specifying RPO/RTO targets, stored on your own secure server.
Technical Integration	Requires complex API hooks and “automated monitoring” that often duplicates existing cloud alerts.	Governance-First: Formalizes the tools you already use (AWS Backup, Veeam, Azure) into an auditor-ready framework.	A completed restoration test log proving that a database was successfully recovered from a snapshot.
Cost Structure	Often scales with “data volume” or “asset count,” creating an aggressive tax on your growing infrastructure.	One-Off Fee: A single payment covers your backup governance for one server or a global multi-cloud estate.	Allocating your budget toward actual immutable storage rather than a “paperwork management” dashboard.
Vendor Flexibility	Limited to specific brand-name integrations; switching vendors requires reconfiguring the compliance tool.	Tech-Agnostic: Fully editable procedures that work for on-premise, cloud, or hybrid recovery stacks.	The freedom to switch from Azure to AWS Backup without needing to update or pay for a new compliance module.

Own Your ISMS, Don’t Rent It

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

Summary: For Annex A 8.13, an auditor wants to see that you have a policy for backups and proof that you can actually restore your data. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 8.13 FAQ

What is the purpose of ISO 27001 Annex A 8.13?

ISO 27001 Annex A 8.13 is a corrective control designed to ensure an organization can recover data, software, and systems following a disruption. Its primary objective is to maintain availability and business continuity by requiring:

Regular creation of backup copies of information and systems.
Periodic testing to verify that data can be successfully restored.
Protection of backups against unauthorized access, physical damage, and environmental hazards.

What are the mandatory requirements for ISO 27001 Information Backup?

The standard requires you to establish a topic-specific backup policy that aligns with your business requirements and risk assessment. To achieve compliance, your backup strategy must demonstrate:

Scope: Identification of all critical data, software, and system configurations requiring backup.
Frequency: Backup intervals that meet your Recovery Point Objectives (RPO).
Separation: Storage of backups at a remote location (offsite or separate cloud region) to mitigate physical risks.
Encryption: Encryption of backup media in transit and at rest.

How frequently must backup restoration be tested for ISO 27001?

Regular restoration testing is mandatory, though the specific frequency is determined by your risk assessment. Auditors generally expect to see evidence of successful restoration tests at least annually or semi-annually. Best practices include:

Testing critical systems quarterly.
Performing ad-hoc tests after significant system changes.
Documenting the test results, including the time taken to restore (verifying RTO) and the integrity of the data.

What is the difference between RPO and RTO in backup planning?

RPO and RTO are critical metrics that define your backup strategy’s success criteria. You must define these for all critical assets in your Business Impact Assessment (BIA):

Recovery Point Objective (RPO): The maximum amount of data (measured in time) you can afford to lose. (e.g., “We can lose up to 4 hours of data,” requiring backups every 4 hours).
Recovery Time Objective (RTO): The maximum amount of time your systems can be offline before significant business harm occurs. (e.g., “We must be operational within 2 hours of a crash”).

Does ISO 27001 require offsite or cloud backups?

Yes, backups must be stored at a location physically separate from the production site. This requirement protects against site-specific disasters such as fire, flood, or theft. Compliance typically follows the “3-2-1 Rule”:

3 copies of data (Production + 2 Backups).
2 different media types (e.g., Disk and Cloud).
1 copy stored offsite (e.g., a different AWS region or a physical vault).

Who is responsible for ISO 27001 Information Backup?

The responsibility typically lies with the IT Manager or Systems Administrator, while accountability rests with Senior Management. Auditors look for clear role definitions:

Operational Responsibility: IT staff who configure schedules, monitor logs, and perform restoration tests.
Accountability: Leadership who approves the Backup Policy and accepts the risks associated with the defined RPO/RTO.
Asset Owners: Department heads who identify which data is critical and needs backing up.

Is a dedicated Information Backup Policy required for certification?

Yes, a topic-specific Information Backup Policy is required. While it can be part of a broader Operations Security policy, it is cleaner and more audit-friendly to have a standalone document that outlines:

Retention schedules (how long backups are kept).
Encryption standards for backup media.
Testing procedures and logging requirements.
Legal and regulatory obligations (e.g., GDPR right to deletion).

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Annex A 8.34 Protection of Information Systems During Audit Testing

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.