If you have been working with the 2013 version of ISO 27001, you likely know the drill when it comes to backups. It was one of those “set it and forget it” areas for many, as long as the tapes or disks were spinning, you felt safe. However, the update to ISO 27001:2022 has introduced some important nuances that move backups from a background task to a high-priority resilience strategy. Specifically, what used to be Control 12.3.1 is now Annex A 8.13: Information Backup.
The 2022 update is more than just a numbering shift. It reflects a world where ransomware can encrypt your live data and your backups simultaneously, and where “the cloud” isn’t just someone else’s computer, it’s a complex shared responsibility. Let’s break down the key changes you need to know for your transition.
Table of contents
The Evolution: From 12.3.1 to Annex A 8.13
In the 2013 standard, backup requirements were found in Control 12.3.1 (Information backup). In the 2022 version, the standard consolidated its 114 controls into 93 and grouped them into four themes: Organisational, People, Physical, and Technological.
Annex A 8.13 now lives in the Technological theme. According to Hightable.io, while the core requirement of “keeping copies” remains, the 2022 version places a much heavier emphasis on verification and context. It is no longer enough to just have a backup; you must prove it works and ensure it is protected with the same level of security as your production data.
What is Annex A 8.13 Information Backup?
The objective of Annex A 8.13 is to ensure that “copies of information, software and systems are maintained and regularly tested in accordance with the agreed topic-specific backup policy.”
This covers three distinct areas:
- Information: Your databases, files, and customer records.
- Software: The applications and operating systems required to run the business.
- Systems: The configurations and virtual machine images that allow for a full recovery.
Key Changes and New Requirements in the 2022 Version
The 2022 update introduces several specific nuances that you won’t find in the 2013 wording. These are the areas auditors will focus on during a transition audit:
- Check for Data Loss Before Backup: A new piece of guidance suggests checking for data integrity before you run a backup. If your data is already corrupted or encrypted by ransomware, backing it up just saves the “garbage.”
- Reporting Systems: The standard now explicitly mentions the need for a reporting system to monitor the status of backups. You should have a clear audit trail showing which jobs succeeded, which failed, and how the failures were remediated.
- Cloud-Based Platforms: The 2013 version was written before the “Cloud First” era. The 2022 version reminds us that data in SaaS tools (like Microsoft 365 or Salesforce) is your responsibility to back up, not just the provider’s.
- Topic-Specific Retention: Instead of a “one size fits all” retention policy, you are encouraged to align retention with the legal and business nature of the data (linked to Annex A 8.10).
The Role of Attributes in Annex A 8.13
One of the most helpful additions to the ISO 27001:2022 update is the introduction of “Attributes.” For Annex A 8.13, these metadata tags help you understand the control’s strategic purpose:
| Attribute Type | Value for Annex A 8.13 |
|---|---|
| Control Type | Corrective (it fixes the problem of data loss) |
| Information Security Property | Availability (primarily), Integrity |
| Cybersecurity Concept | Recover |
| Operational Capability | Continuity |
Practical Steps for Compliance
Transitioning to the 2022 standard means moving away from “set it and forget it” backups. Hightable.io suggests that the most common mistake is a lack of restoration testing. To align with A 8.13, you should:
- Define RTO and RPO: For every critical system, document your Recovery Time Objective (how long can you be down?) and Recovery Point Objective (how much data can you afford to lose?).
- Test, Don’t Just Verify: Many systems say a backup “completed,” but the standard wants to see that you have actually restored data successfully in a test environment.
- Encrypt Your Backups: If a backup drive or cloud bucket is stolen, the data inside must be unreadable. Ensure encryption at rest and in transit.
- Separate Your Backups: Ensure backups are stored in a different “failure domain” (different cloud region or physically separate location) and protected from the primary network to prevent ransomware from spreading to them.
Why the Change Matters
The update to Annex A 8.13 reflects the “Resilience” era. In 2013, we backed up data to recover from a hardware failure. In 2022 and beyond, we back up data to survive a cyberattack. By requiring more rigorous testing and reporting, ISO 27001:2022 ensures that your “safety net” is actually strong enough to catch you when you fall.
As Hightable.io points out, an auditor is no longer looking for a “Backup Policy” alone; they are looking for a “Restoration History.” If you can’t prove you’ve successfully restored data recently, you may face a non-conformity.
Final Thoughts on the Transition
Moving from 12.3.1 to 8.13 is a move toward a more mature, reliable way of protecting your organisation’s memory. It forces a conversation between IT and the business about what is truly “critical.” While the 2022 version requires more documentation and testing, it provides a much higher level of confidence that your business can survive a catastrophic event.