Backup and rapid restore
Demonstrate that backup processes capture critical assets at defined intervals, backup data is protected from unauthorized access or tampering, and restoration capabilities meet documented recovery objectives through regular testing.
Description
What this control does
Backup and rapid restore controls ensure that critical data and system configurations are regularly copied to secure, independent storage and can be recovered quickly following data loss, corruption, ransomware encryption, or system failure. This involves automated backup scheduling, immutable or air-gapped storage, encryption of backup data, and documented restoration procedures with tested recovery time objectives (RTOs) and recovery point objectives (RPOs). Effective implementation prevents permanent data loss and enables business continuity during disruptive incidents.
Control objective
What auditing this proves
Demonstrate that backup processes capture critical assets at defined intervals, backup data is protected from unauthorized access or tampering, and restoration capabilities meet documented recovery objectives through regular testing.
Associated risks
Risks this control addresses
- Ransomware encryption of production data combined with backup corruption leads to permanent loss of critical business records
- Inadequate backup frequency results in loss of hours or days of transactions exceeding acceptable recovery point objectives
- Backup data stored on network-accessible shares is deleted or encrypted by attackers during lateral movement
- Untested restoration procedures fail during actual incidents due to missing dependencies, configuration drift, or corrupted backup integrity
- Lack of backup encryption exposes sensitive customer or financial data when backup media is lost, stolen, or improperly decommissioned
- Extended restoration times exceed recovery time objectives causing prolonged business disruption and revenue loss
- Single storage location for backups suffers physical disaster (fire, flood, equipment failure) eliminating all recovery copies simultaneously
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's backup policy including defined RPO/RTO targets, backup schedules, retention periods, and scope of systems and data covered.
- Request the current backup inventory listing all systems, databases, and critical datasets included in backup operations with their respective backup frequencies.
- Select a representative sample of critical systems (minimum 5-8 across different tiers) and verify backup job configurations match policy requirements for frequency and retention.
- Examine backup storage architecture to confirm physical or logical isolation from production networks, including air-gapped, immutable, or off-site storage mechanisms.
- Review backup logs for the past 90 days for the sampled systems to verify successful completion rates, identify failures, and confirm remediation of recurring issues.
- Obtain documentation and evidence of the most recent restore tests, including dates, systems tested, success metrics, actual RTO/RPO achieved, and issues identified.
- Interview backup administrators to validate monitoring procedures, alert configurations for backup failures, and escalation processes when issues occur.
- Verify encryption controls are enabled for backup data both in transit to backup storage and at rest, and confirm encryption key management practices separate keys from backup data.