ISO 27001 Annex A 8.13 is a documented process for maintaining backup copies of information and systems. Organisations must integrate these procedures into daily operational tools like SharePoint. This ensures data availability after technical failures. It mandates regular testing within your internal document management systems.
Table of contents
Auditor’s Eye: The Shortcut Trap
Auditors often find that firms rely on cloud backup dashboards. These green ticks create a false sense of safety. They decouple security from daily work. I prefer seeing a Jira ticket for a restore test. Authentic evidence exists in your SharePoint meeting minutes. Disconnected SaaS platforms hide actual restore failures. They offer surface-level compliance only. Real management ownership requires evidence in your native repositories.
| ISO 27001:2013 Control | ISO 27001:2022 Control | Nature of Change |
|---|---|---|
| A.12.3.1 Information backup | A.8.13 Information backup | Renumbered. Requirement remains to maintain and test backup copies. |
How to Implement ISO 27001 Annex A 8.13
The bottom line: you must establish a documented backup cycle within your existing organisational tools. This ensures technical teams follow security protocols naturally. Use SharePoint and Jira to manage the programme. Follow these clinical steps for compliance:
- Draft an Information Backup Policy in SharePoint.
- Include specific retention requirements and recovery time objectives.
- Initialise recurring Jira tasks for backup monitoring.
- Require technical staff to log success rates weekly.
- Execute a restore test every six months.
- Document the test method and outcome in a Confluence page.
- Present backup performance to management.
- Record the review in your monthly SharePoint meeting minutes.
ISO 27001:2022 Annex A 8.13 Audit Evidence Checklist
Focus on manual records and internal document versions. These prove human oversight and intent. Maintain these items in your native repositories:
- Information Backup Policy with SharePoint version history.
- Restore test logs stored as closed Jira tickets.
- Monthly management meeting minutes reviewing backup reports.
- Technical configuration standards in your internal wiki.
- Vendor service reports for off-site storage.
Relational Mapping
Control A 8.13 connects to several core organisational requirements. Clause 8.1 requires operational planning and control. Annex A 5.30 manages ICT readiness for business continuity. Annex A 8.15 covers logging activities. All these dependencies must link within your central SharePoint library.
Auditor Interview
Auditor: How do you verify your backups are usable?
Manager: We perform manual restore tests twice per year. We record the logs in Jira.
Auditor: Where is the evidence of management review?
Manager: Our monthly security minutes in SharePoint track backup success rates. You can see the manager sign-off there.
Common Non-Conformities
| Failure Mode | Description | Corrective Action |
|---|---|---|
| Automated Complacency | Relying on a SaaS dashboard tick without internal restore logs. | Log manual restore tests in Jira. |
| No Management Review | Backups fail but the board never sees the report. | Include backup status in SharePoint minutes. |
| Stale Policies | Backup rules exist but staff never update them. | Review policies annually in SharePoint. |
ISO 27001 Annex A 8.13 FAQ
Frequently Asked Questions: ISO 27001 Annex A 8.13
What is required for ISO 27001 Annex A 8.13 Information Backup compliance?
The bottom line: Maintain a documented backup policy and manual restore records within your internal tools, such as SharePoint or Jira. You must protect these backups from unauthorised access and avoid relying exclusively on automated cloud vendor dashboards, as auditors require integrated evidence of active management and ownership.
Beyond the primary documentation, your compliance framework should clearly outline specific retention requirements and Recovery Time Objectives (RTOs). By centralising technical configuration standards in your internal wiki and reviewing vendor service reports for off-site storage, you establish a resilient, audit-ready data environment.
How often should I test backups for ISO 27001?
The bottom line: You must test backups at defined, scheduled intervals, with most organisations successfully executing full manual restore tests every 6 months. These tests must be logged as closed tickets in Jira, accompanied by management sign-off recorded in monthly SharePoint meeting minutes.
Relying solely on an automated “green tick” from a SaaS dashboard creates a false sense of security and frequently triggers auditor non-conformities. Documenting manual recovery exercises provides an indisputable audit trail of system reliability and active operational control.
How does ISO 27001:2022 Annex A 8.13 differ from the 2013 version?
The bottom line: The fundamental requirement to maintain and test backup copies remains identical, but the control has been renumbered from A.12.3.1 in the 2013 standard to A.8.13 in the 2022 revision. It continues to focus on information protection and resilience.
Under the updated 2022 structure, Annex A 8.13 heavily connects to broader organisational continuity controls, requiring operational planning (Clause 8.1) and clear links to your logging activities (Annex A 8.15) to ensure holistic data availability.
How should I document backup failures during an audit?
The bottom line: Log every single backup failure as a formal technical incident in Jira, detailing both the root cause and the specific corrective action taken. You must then link these incident logs directly to your monthly security review minutes in SharePoint.
Auditors prefer this level of transparency because it proves your organisation proactively manages risk rather than hiding it. A 100% success rate on automated dashboards is often viewed with suspicion; documenting failures and corrections demonstrates a mature, functional Information Security Management System (ISMS).