Control 8.13 : Information Backup

Summary

Backup copies of information, software and system images should be maintained and regularly tested in accordance with the established topic-specific policy on backup. This ensures the organization can recover from data loss, corruption, or ransomware attacks.

Applicability

In-Scope: Mandatory for all organizations. It is the single most important control for ensuring the availability of data and recovering from catastrophic system failures.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Native Protection: Leverage the built-in versioning and Recycle Bin features of SharePoint and OneDrive for basic recovery of deleted or modified files.
Microsoft 365 Backup: Implement the Microsoft 365 Backup service or a certified third-party solution to provide immutable, point-in-time recovery for Exchange, SharePoint, and OneDrive.
Azure Backup: Utilize Azure Backup for any cloud-hosted virtual machines or databases, ensuring that backup data is stored in a separate, encrypted vault with Soft Delete enabled to prevent malicious deletion.

Evidence Checklist

Backup Policy: Documented requirements for backup frequency, retention periods, and storage locations.
Restore Test Logs: Evidence of successful restoration tests performed within the last 12 months for all critical data sets.
Backup Success Reports: Automated logs proving that daily backups are completing successfully without errors.

Practical Audit Advice

Here are some questions the auditor might ask:

What are the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for your most critical business data?
How do you ensure that your backup data is physically or logically separated from your production environment to prevent ransomware from spreading to the backups?
When was the last time you performed a full restore test of a critical server or service?
How long is backup data retained, and does this period align with your legal and regulatory requirements?