ISO 27001 Control 8.13: Information Backup

How to Make Sure You Can Actually Get Your Data Back

ISO 27001 Control 8.13 Information backup is about something very simple:

When (not if) something goes wrong, can you get your critical information back in a usable state, quickly enough, without making things worse?

It’s not enough to say “we do backups”. Control 8.13 expects you to back up the right things, often enough, securely, and to test that you can restore them in line with your business needs.

This guide walks through what ISO 27001 Control 8.13 is really asking for, and how to build a practical backup strategy that supports both security and business continuity – across on-premises, cloud and hybrid environments.

---

What ISO 27001 Control 8.13 Actually Requires

In plain English, ISO 27001 Control 8.13 – Information backup expects you to:

• Identify which information, systems and configurations must be backed up.
• Define how often you back things up and how long you keep them.
• Store backups in a way that protects confidentiality, integrity and availability.
• Test restores regularly so you know backups actually work.
• Integrate backup and restore processes into your business continuity and disaster recovery plans.

It’s closely tied to:

• Business continuity / disaster recovery (RTO/RPO)
• Ransomware resilience and incident response
• Retention and deletion (you don’t want backups to undermine those)
• Cloud and supplier management

The big idea: backups are there to enable recovery, not just to tick a box that “we take a copy”.

---

Step 1 – Define Your Backup Policy and What Really Matters

Start by deciding what you’re backing up and why. ISO 27001 Control 8.13 wants this to be deliberate, not “back up everything forever”.

Your Information Backup Policy should cover:

• Scope – what gets backed up
  – Critical business applications and databases
  – File shares and collaboration platforms
  – System configurations, infrastructure-as-code, device configs
  – Logs or security evidence you may need for investigations
• Business drivers
  – Legal and regulatory requirements (e.g. minimum retention periods)
  – Contractual commitments to customers or partners
  – Internal business needs (how long you need historical data)
• Ownership and responsibility
  – Who owns the backup policy (e.g. IT/IS with sign-off from the business)?
  – Who operates the backup jobs and monitors success/failure?
  – Who owns the decision to restore from particular backup sets?

This gives you a clear foundation for implementing ISO 27001 Control 8.13 in a way that aligns with how the business actually works.

---

Step 2 – Translate Business Needs into RTO and RPO

To make backup meaningful, you need to link it to how quickly you must recover and how much data loss you can tolerate.

For ISO 27001 Control 8.13:

• Recovery Time Objective (RTO)
  – How long can this system be down before the impact becomes unacceptable?
  – This drives your choice of backup and restore technology (e.g. snapshots vs tape).
• Recovery Point Objective (RPO)
  – How much data (in minutes/hours/days) can you afford to lose?
  – This directly feeds into backup frequency (e.g. continuous, hourly, daily).

You don’t need perfect precision; you do need realistic, agreed figures. Then you can say:

• “For System A, ISO 27001 Control 8.13 is met through hourly backups with a 4-hour RTO.”
• “For System B, daily backups and a 24-hour RTO are sufficient.”

That’s exactly the kind of traceability auditors like to see.

---

Step 3 – Design a Backup Plan (Not Just a Backup Job)

With scope and objectives clear, you can design a structured backup plan.

Under ISO 27001 Control 8.13, think about:

• Backup frequency
  – Real-time or near-real-time (e.g. journaling, continuous replication) for critical systems.
  – Daily for most business data.
  – Weekly/monthly for archival sets.
• Backup types
  – Full – a complete copy of selected data.
  – Incremental – only changes since the last backup of any type.
  – Differential – changes since the last full backup.
• Where backups are stored
  – On-premises (for quick restore).
  – Off-site or cloud (for disaster resilience).
  – Ideally, at least one copy that is offline or immutable to resist ransomware.
• Data integrity checks
  – Use checksum or validation routines to ensure backups are complete and uncorrupted.
  – Alert on failed jobs and validation errors.
• Automation
  – Schedule backups rather than relying on manual runs.
  – Centralise monitoring so failures are noticed and acted on quickly.

A simple rule of thumb that works well with ISO 27001 Control 8.13:

You should know what is backed up, where it’s backed up, how often, and how to restore it – for each major system.

---

Step 4 – Protect the Security of Backups Themselves

Backups often contain some of your most complete and sensitive datasets. If you don’t protect them properly, they can become a new attack surface.

For ISO 27001 Control 8.13:

• Encrypt backups in transit and at rest
  – Use strong, well-managed encryption for off-site and cloud backups.
  – Protect and rotate keys separately from the backup storage.
• Limit access
  – Role-based access so only authorised admins can read, modify or delete backup sets.
  – Strict controls on who can trigger restores, especially to non-production environments.
• Physical protection
  – Secure storage for tapes and removable media (locked rooms, controlled access, environmental protection).
  – For local backup appliances, ensure they sit within controlled areas, not open offices.
• Logical protection against tampering
  – Logs of backup and restore actions, including who did what, when and from where.
  – Use immutable or write-once storage for at least some backup copies where feasible.

This ensures ISO 27001 Control 8.13 supports confidentiality and integrity, not just availability.

---

Step 5 – Test Restores Regularly (This Is the Bit Everyone Forgets)

If you never test restores, you don’t have a backup strategy – you have a collection of hopeful copies.

ISO 27001 Control 8.13 expects you to:

• Perform regular restore tests
  – Restore individual files or records to prove you can handle small-scale issues.
  – Periodically restore full systems or critical applications into a test environment.
• Validate usability
  – Don’t just check that the restore completes – make sure the application actually runs and the data makes sense.
  – Confirm dependencies are handled (linked databases, configuration, service accounts).
• Include in disaster recovery exercises
  – Use backups in DR tests to prove you can rebuild critical services to meet your RTO/RPO.
  – Capture lessons learnt and update procedures accordingly.
• Test new and changed systems
  – When you bring a new system online or change architecture, test that the backup and restore routines still work.

For an auditor, evidence of planned, documented restore tests is one of the strongest proofs that you’re genuinely meeting ISO 27001 Control 8.13.

---

Step 6 – Integrate Cloud Backups Properly (Not Just “The Cloud Does It”)

Cloud services often include backup-like capabilities (snapshots, retention, recycle bins), but ISO 27001 Control 8.13 wants you to treat them as deliberately as traditional backups.

Good practice:

• Understand what the provider actually offers
  – What is backed up, how often, and how long is it retained?
  – Are backups in a separate region or availability zone?
  – Are there immutable or “object lock” options?
• Align cloud retention with your policy
  – Configure retention periods to match your regulatory and business needs.
  – Avoid infinite retention “just in case” – it contradicts deletion and minimisation principles.
• Encrypt and control access
  – Ensure encryption is enabled and key management is appropriate.
  – Restrict who can delete or change backup configurations in the cloud console.
• Clarify responsibilities in SLAs
  – You are usually responsible for logical data protection, even in SaaS.
  – Be clear on who does what in a recovery scenario: you, the provider, or both.

That way, you can show that ISO 27001 Control 8.13 is applied consistently across on-prem and cloud.

---

Step 7 – Manage Retention and Deletion of Backup Data

Backups can easily become a graveyard of old personal and sensitive data if you never delete them.

To keep ISO 27001 Control 8.13 aligned with your wider compliance stance:

• Tie retention to regulation and business need
  – Keep backups long enough to support legal, contractual and operational requirements – but not indefinitely.
  – Document retention periods for different backup types (daily, weekly, monthly, yearly).
• Implement secure deletion for expired backups
  – Use secure erasure or rotation processes for backup media.
  – Ensure cloud backups are removed properly when retention expires.
• Support data subject rights where realistic
  – Be clear in your privacy and retention documentation about how backups are handled in relation to erasure requests.
  – Ensure that, over time, backup rotation means outdated personal data is genuinely removed.
• Review retention regularly
  – Storage costs, laws and your business model change – so should your retention rules.

This helps you avoid a situation where backups undermine your information deletion and data minimisation controls.

---

Step 8 – Tie Information Backup into Business Continuity and Incident Response

ISO 27001 Control 8.13 doesn’t live in isolation – it’s a core part of your business continuity and disaster recovery planning.

You should:

• Reference backups in BC/DR plans
  – For each critical service, specify which backups you would use in which scenarios.
  – Include steps for restoring and validating systems from backup.
• Integrate with incident response
  – Make sure the security incident response plan knows when and how to use backups (e.g. after ransomware or major data corruption).
  – Consider contamination risk – don’t just blindly restore from a backup that may also be infected.
• Train and cross-train staff
  – Ensure more than one person knows how to perform critical restores.
  – Include backup and restore tasks in exercises and tabletop scenarios.

This shows that information backup under ISO 27001 Control 8.13 is operational and rehearsed, not theoretical.

---

Quick Implementation Checklist for ISO 27001 Control 8.13

Use this as a sense-check:

• ISO 27001 Control 8.13 (Information backup) is covered in a formal backup policy with clear scope and ownership.
• RTO and RPO values are defined for key systems, and backup frequency/approach aligns with them.
• Critical information, software and configurations are included in backup plans.
• Backups are automated, monitored and validated for integrity.
• Backup data is encrypted, access-controlled and physically/logically protected.
• There is at least one off-site and/or immutable backup location to support disaster and ransomware resilience.
• Regular restore tests are performed and documented (files, systems, and DR scenarios).
• Cloud backup and retention settings are understood, configured and aligned with your policy.
• Backup retention and deletion are managed deliberately, not “keep everything forever”.
• Backup and restore procedures are integrated into BC/DR and incident response plans and staff are trained.

---

Bringing It All Together

ISO 27001 Control 8.13 – Information backup – is about making sure that when you really need your data back, you aren’t relying on luck.

If you:

• Know what you must protect,
• Back it up frequently enough in secure, resilient locations,
• Test that you can restore it in line with your RTO/RPO, and
• Integrate those processes into your continuity and incident response plans,

you’ll have a backup strategy that genuinely supports business resilience – and you’ll be in a strong position to demonstrate full alignment with ISO 27001 Control 8.13.