Information Backup

Summary

Backup copies of information, software and system images should be maintained and regularly tested in accordance with the established topic-specific policy on backup. This ensures the organization can recover from data loss, corruption, or ransomware attacks.

Applicability

In-Scope: Mandatory for all organizations. It is the single most important control for ensuring the availability of data and recovering from catastrophic system failures.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Native Protection: Leverage the built-in versioning and Recycle Bin features of SharePoint and OneDrive for basic recovery of deleted or modified files.

• Microsoft 365 Backup: Implement the Microsoft 365 Backup service or a certified third-party solution to provide immutable, point-in-time recovery for Exchange, SharePoint, and OneDrive.

• Azure Backup: Utilize Azure Backup for any cloud-hosted virtual machines or databases, ensuring that backup data is stored in a separate, encrypted vault with Soft Delete enabled to prevent malicious deletion.

Evidence Checklist

• Backup Policy: Documented requirements for backup frequency, retention periods, and storage locations.

• Restore Test Logs: Evidence of successful restoration tests performed within the last 12 months for all critical data sets.

• Backup Success Reports: Automated logs proving that daily backups are completing successfully without errors.

Practical Audit Advice

Here are some questions the auditor might ask:

• What are the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for your most critical business data?

• How do you ensure that your backup data is physically or logically separated from your production environment to prevent ransomware from spreading to the backups?

• When was the last time you performed a full restore test of a critical server or service?

• How long is backup data retained, and does this period align with your legal and regulatory requirements?