What is ISO 27001:2022 Annex A 8.13 Information backup in ISO 27001?
ISO 27001 Annex A 8.13 is a documented process for maintaining backup copies of information and systems. Organisations must integrate these procedures into daily operational tools like SharePoint. This ensures data availability after technical failures. It mandates regular testing within your internal document management systems.
Auditor’s Eye: The Shortcut Trap
Auditors often find that firms rely on cloud backup dashboards. These green ticks create a false sense of safety. They decouple security from daily work. I prefer seeing a Jira ticket for a restore test. Authentic evidence exists in your SharePoint meeting minutes. Disconnected SaaS platforms hide actual restore failures. They offer surface-level compliance only. Real management ownership requires evidence in your native repositories.
| ISO 27001:2013 Control | ISO 27001:2022 Control | Nature of Change |
|---|---|---|
| A.12.3.1 Information backup | A.8.13 Information backup | Renumbered. Requirement remains to maintain and test backup copies. |
How to Implement ISO 27001:2022 Annex A 8.13 (Step-by-Step)
The bottom line: you must establish a documented backup cycle within your existing organisational tools. This ensures technical teams follow security protocols naturally. Use SharePoint and Jira to manage the programme. Follow these clinical steps for compliance:
- Draft an Information Backup Policy in SharePoint.
- Include specific retention requirements and recovery time objectives.
- Initialise recurring Jira tasks for backup monitoring.
- Require technical staff to log success rates weekly.
- Execute a restore test every six months.
- Document the test method and outcome in a Confluence page.
- Present backup performance to management.
- Record the review in your monthly SharePoint meeting minutes.
ISO 27001:2022 Annex A 8.13 Audit Evidence Checklist
Focus on manual records and internal document versions. These prove human oversight and intent. Maintain these items in your native repositories:
- Information Backup Policy with SharePoint version history.
- Restore test logs stored as closed Jira tickets.
- Monthly management meeting minutes reviewing backup reports.
- Technical configuration standards in your internal wiki.
- Vendor service reports for off-site storage.
Relational Mapping
Control A 8.13 connects to several core organisational requirements. Clause 8.1 requires operational planning and control. Annex A 5.30 manages ICT readiness for business continuity. Annex A 8.15 covers logging activities. All these dependencies must link within your central SharePoint library.
Auditor Interview
Auditor: How do you verify your backups are usable?
Manager: We perform manual restore tests twice per year. We record the logs in Jira.
Auditor: Where is the evidence of management review?
Manager: Our monthly security minutes in SharePoint track backup success rates. You can see the manager sign-off there.
Common Non-Conformities
| Failure Mode | Description | Corrective Action |
|---|---|---|
| Automated Complacency | Relying on a SaaS dashboard tick without internal restore logs. | Log manual restore tests in Jira. |
| No Management Review | Backups fail but the board never sees the report. | Include backup status in SharePoint minutes. |
| Stale Policies | Backup rules exist but staff never update them. | Review policies annually in SharePoint. |
Frequently Asked Questions
How often should I test backups for ISO 27001?
The bottom line: you must test backups at scheduled intervals. Most organisations perform full restore tests every six months. You should record these tests in Jira. This provides an audit trail of system reliability. Document your findings in SharePoint minutes to prove management oversight. This shows you handle data risks within your own organisational boundary.
What is required for ISO 27001 backup compliance?
The bottom line: maintain a documented backup policy and regular restore records. You must protect backups from unauthorised access. Use your internal document management system to track version history. Avoid relying solely on automated cloud dashboards. Integrated records show active management and ownership. This prevents the audit risk of disconnected evidence.
How do I document backup failures?
The bottom line: log every failure as a technical incident in Jira. Describe the root cause and the corrective action. Link these logs to your monthly security reviews in SharePoint. This proves your organisation follows a managed process. It shows you handle risks within your native repositories. Auditors prefer this level of transparency.