ISO 27001 Information Backup

I am going to show you what ISO 27001 Annex A 8.13 Information Backup is, what’s new, give you ISO 27001 templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it. I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.

What is ISO 27001 Information Backup?

ISO 27001 Annex A 8.13 Information Backup is an ISO 27001 control that requires an organisation to create and test backups of data, software and systems.

ISO 27001 Annex A 8.13 Purpose

ISO 27001 Annex A 8.13 is corrective control that is to enable recovery from loss of data or systems. 

ISO 27001 Annex A 8.13 Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.13 as:
Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.  – ISO 27001:2022 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.13 Implementation Guide

You are going to have to ensure that you:

  • Implement a topic specific policy for information backup
  • Identify the information that you want to protect
  • Classify the information that you want to protect
  • Implement controls to protect the information based on risk, classification and business need
  • keep records
  • Test the controls that you have to make sure they are working

There are several approaches to information backup and the most common is to implement a backup tool.

Backup Policy

The backup policy is a specific document that is covered in detail in the Beginner’s Guide to the ISO 27001 Backup Policy.

In summary it sets out the organisations approach to backups and ensures that adequate processes and procedures are in place as well as regular testing of the backup so that we can be sure that when the time comes and if we need it, we can recover it.

Identify Backup Requirements

The best way to identify the backup requirements is to conduct a business impact assessment (BIA). The BIA will identify and prioritise your critical systems and data and will provide you with time scales for how quickly they should be recovered. This in turn will inform your approach to backups and the scheduling of backups.

Implement Backup Technology

There are many types of backup technology and you should implement the one that is appropriate to you. The standard is hung up on old fashioned tapes and storing them in remote locations but any technology solution can work, especially with the prevalence of cloud based storage. The things to consider here are both the encryption of the backup and the legal and regulatory requirements placed on data.

Encrypt backups

Backups should always be encrypted and is often built into any off the shelf backup solution.

Backups and the law

This is an area where you are going to need some legal advice. The main issues here come around data protection and in particular the GDPR and relate directly to the right to be forgotten and information deletion. Backups are one area that can get you in hot water if you are unable to meet the demands and requirements of the laws and regulations.

Set Backup Retention Schedules

The backup retention schedules are driven by the needs of the business and the laws and regulations that apply to it. Using the business impact assessment (BIA) is a good starting point for working out the schedule as is reverting to client contracts and client requirements.

Test Backups

The backups that you make should be tested. It is pointless to back things up securely and when the time comes to recover the data find out that you cannot, in fact, recover the data. Have a process of regular backup testing that gives you the confidence that you can recover from backup should the need arise.

ISO 27001 Templates

ISO 27001 Backup Policy Template

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.

Stop Spanking £10,000s on consultants and ISMS online-tools.

ISO 27001 Toolkit Business Edition

How to comply with ISO 27001 Annex A 8.13

To comply with ISO 27001 Annex A 8.13 you are going to implement the ‘how’ to the ‘what’ the control is expecting.
In short measure you are going to:

  • Understand and record the legal, regulatory and contractual requirements you have for data
  • Conduct a risk assessment
  • Based on the legal, regulatory, contractual requirements and the risk assessment you will implement an
    information backup scheme
  • Implement and communicate your topic specific policy on backup
  • Document and implement your processes and technical implementations for data backup
  • Check that the controls are working by conducting internal audits

How to pass an audit

To pass an audit of ISO 27001 Annex A 8.13 Information backup you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an auditor check?

The audit is going to check a number of areas. Lets go through the main ones

That you have documentation

What this means is that you need to show that you have documented your legal, regulatory and contractual requirements for information backup. Where data protection laws exist that you have documented what those laws are and what those requirements are. That you have an information classification scheme and a topic specific policy for access control and that you have documented your information backup techniques.

That you have have implemented information backup appropriately

They will look at systems to seek evidence of information backup, testing and recovery. They want to see evidence of tests, the results of tests and any continual improvement you conducted as a result of those tests.

That you have conducted internal audits

The audit will want to see that you have tested the controls and evidenced that they are operating. This is usually in the form of the required internal audits. They will check the records and outputs of those internal audits.

Top 3 Mistakes People Make for ISO 27001 Annex A 8.13

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 8.13 Information Backup are

You have not tested the backup

This is a common mistake we see. That you have not tested that you can recover from backups. Sometimes you did a recovery test but it was a long time ago, or it was a partial recovery and therefore you have no actual evidence that your backups can be recovered to a point the organisation is operational again within the time frames and to the point in time that was agreed.

This is a massive mistake that we see, where people assume ISO 27001 is just information security and forget that it also checks that appropriate laws are being followed, and in particular data protection laws. Cost saving by not having a data protection expert or ignoring data protection law entirely is a common mistake we see people make when cutting corners and saving costs. Backups where information, in particular personal information, cannot be deleted selectively can get you in a lot of hot water.

Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is data information backup important?

Information backup is important because things can go wrong. From accidental loss of information to the more aggresive and damaging ransomware attacks, there are many reasons that you might want to restore information from a point in time. Having an effective information backup process that is tested and proven to work will save your bacon one day.

ISO 27001 Annex A 8.13 FAQ

Is information backup a new ISO 27001:2022 control?

No, information backup is not a new control for ISO 27001:2022.

What clause of ISO 27001 covers information backup?

ISO 27001 Annex A 8.13 covers information backup.

What clause of ISO 27002 covers information backup?

ISO 27002 clause 8.13 covers information backup.

What is the difference between ISO 27001:2022 Annex A 8.13 and ISO 27002:2022 clause 8.13?

Nothing, they are the same thing. ISO 27002 is a standard in its own right and is included as an Annex to the ISO 27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.

How long will ISO 27001Annex A 8.13 information backup take me?

ISO 27001 Annex A 8.13 will take approximately 1 day to setup if you are starting from nothing and doing it yourself. Then the process to implement information backup will take as long as it takes for you to make the technical and configuration changes required.

How much will ISO 27001Annex A 8.13 information backup cost me?

This depends on the complexity of your technical environment and the technologies that you are deploying.

Time: the time to define and document the requirements, the time to implement the requirements

Money: the cost of technical tools and configuration changes to tools

Who is responsible for ISO 27001 Information Backup?

The responsibility for ISO 27001 Information Backup lies with IT.

Who is accountable for ISO 27001 Information Backup?

Senior management and leadership are accountable for ISO 27001 Annex A 8.13 Information Backup

Do I need ISO 27001 Information Backup for ISO 27001 Certification?

Yes, information backup is a requirement of ISO 27001 certification.

What policy do I need for ISO 27001 Information Backup?

You need the ISO 27001 Backup Policy.

Is there a free ISO 27001 Information Backup Policy PDF?

Yes, you can get a copy of the free ISO 27001 Information Backup Policy PDF at High Table.

Where can I get templates for ISO 27001 Information Backup?

High Table provide an ISO 27001 Backup Policy Template that is fully populated, pre written and ready to go. They also offer the ISO 27001 Toolkit that has everything you need to DIY your ISO 27001 certification.

How hard is ISO 27001 Annex A 8.13?

ISO 27001 Annex A 8.13 is not hard. It is a fundamental basic of IT management. Information backup has been around for ever and is well known and well understood. The hardest part is deciding what to back up and how often, followed by your ability to test the recovery.

Is there an online ISO 27001?

Yes, there is an online ISO 27001 at ISO 27001 Online.

What are the benefits of ISO 27001 Annex A 8.13?

The benefits of an ISO 27001 Annex A 8.13 are:
1. Improved Security
2. Reduced Risk
3. Improved Compliance
4. Reputation Protection