Implementing ISO 27001 Annex A 8.13 Information Backup
Welcome to this guide on one of the most critical controls in the ISO 27001 standard. As a certification body, we often see organisations struggle not with the concept of backups, but with the specific rigour required by Annex A 8.13. You likely already know that backing up data is important. However, achieving compliance requires more than just copying files to a hard drive.
At ISO27001.com, we believe that understanding the “why” is just as important as the “how”. This control sits within the technological theme of the standard. Its primary purpose is to ensure you can recover your information, software, and systems if a disaster strikes. This could be anything from a ransomware attack to a simple accidental deletion by a staff member.
Table of contents
What is Annex A 8.13?
Annex A 8.13 focuses on Information Backup. The standard requires you to maintain backup copies of information, software, and system images. You must do this in accordance with an agreed topic specific policy on backup. Ideally, this ensures that your organisation can recover operations quickly after a disruption.
For a beginner, this might sound daunting. It does not have to be. The core requirement is simply about having a plan, following that plan, and proving that the plan works.
Defining Your Backup Policy
Before you buy any software or storage, you need to write down your rules. The auditor will look for a Topic Specific Policy on Backup. This document dictates how you handle data retention and recovery. You need to define two key concepts here.
First, you must define your Recovery Point Objective (RPO). This asks how much data you are willing to lose. If you back up once a day at midnight, and your system fails at 11 PM, you lose 23 hours of work. Is that acceptable? For some data, yes. For a transaction database, probably not.
Second, you must define your Recovery Time Objective (RTO). This asks how fast you need to get back up and running. Can you wait a week to restore your data, or do you need it back in an hour?
Your policy should clearly state the schedule for your backups based on these requirements. It might state that critical data is backed up hourly, while less critical archives are backed up weekly.
Implementing the Control
Once your policy is set, you have to put the technology in place. You need to ensure that the backup copies are protected. We often see clients who back up their servers to a drive sitting in the same room as the server. This is a bad idea. If a fire destroys the server room, it destroys your backup too.
You should store backups at a remote location. In modern times, cloud storage is an excellent solution for this. It provides physical separation by default. If you use physical media like tapes or hard drives, you must ensure they are transported securely and stored safely.
You also need to protect the backups from unauthorised access. Encrypting your backups is the standard expectation. If a backup tape is lost or a cloud bucket is breached, encryption ensures the data remains unreadable.
The Critical Importance of Testing
This is the area where most people fail their audit. You can have the best backup software in the world, but it is useless if you cannot restore the data. Annex A 8.13 explicitly requires you to test your backup facilities.
You generally do not want to find out your restoration process fails during a real emergency. You should schedule regular restoration tests. This means taking a backup file and actually restoring it to a test environment to verify the data is intact and usable.
As your certification body, we expect to see logs or records of these tests. A simple screenshot showing a “Backup Successful” message is good, but a record showing “Restoration Test Successful” is much better.
What We Expect as Your Certification Body
When an auditor from a body like ISO27001.com visits you, we are looking for evidence. We are not there to take your word for it. We need proof that you are following your own rules.
We will ask to see your backup policy. We will check if your actual backup settings match that policy. If your policy says you back up daily, but your logs show you back up weekly, that is a non-conformity.
We will also look for the separation of duties. Ideally, the person requesting the restoration should not be the only person capable of approving it, though this depends on the size of your company. We definitely want to see that your backups are immutable or offline where possible, to protect against ransomware that targets backup files.
Common Pitfalls to Avoid
There are a few common mistakes we see beginners make. The first is scoping. You need to ensure you are backing up all relevant data. Often, teams back up the database but forget the configuration files required to run the application.
Another pitfall is relying solely on SaaS providers. If you use cloud platforms, do not assume they are backing up your data for you. Microsoft and Google ensure the platform is available, but if you accidentally delete a user, that data might be gone forever unless you have your own third-party backup solution in place.
Finally, ensure you review your backup requirements regularly. As your business changes, your RPO and RTO might change. Your backup strategy should evolve with you.
Summary
Implementing Annex A 8.13 is about resilience. It is about sleeping soundly at night knowing that if the worst happens, you can recover. Start with a clear policy, choose secure off-site storage, and test your restoration process frequently.
If you follow these steps and maintain clear records, you will satisfy the requirements of Annex A 8.13 and be well on your way to achieving ISO 27001 certification with us.