Backups immutable / WORM
Demonstrate that backup repositories are configured with immutability or WORM protection such that backup data cannot be altered or deleted during the retention period by any entity, including privileged users and malicious actors.
Description
What this control does
Immutable or Write Once Read Many (WORM) backups ensure that backup data cannot be modified, encrypted, or deleted for a defined retention period after creation. This control uses storage technologies or software features that lock backup files at the storage layer, preventing even privileged administrators or ransomware actors from tampering with backup integrity. Implementation typically involves object-lock features in cloud storage (e.g., S3 Object Lock), specialized backup appliances with air-gapped or immutable storage tiers, or tape libraries with hardware write-protection. This is a critical last line of defense for business continuity and disaster recovery when primary systems and mutable backups are compromised.
Control objective
What auditing this proves
Demonstrate that backup repositories are configured with immutability or WORM protection such that backup data cannot be altered or deleted during the retention period by any entity, including privileged users and malicious actors.
Associated risks
Risks this control addresses
- Ransomware encrypts or deletes backup data stored on writable volumes, eliminating recovery options and enabling extortion
- Malicious insiders with privileged access intentionally corrupt or delete backups to cover evidence of data exfiltration or sabotage
- Compromised administrator credentials are used to destroy backups concurrently with primary systems during a cyberattack
- Automated malware propagates laterally to backup infrastructure and systematically destroys all recovery points before detection
- Accidental deletion or misconfiguration by operators removes critical backup versions needed for compliance or incident recovery
- Advanced persistent threat actors dwell in the network for months and methodically erase forensic evidence stored in backups
- Cryptojacking or wiperware targets backup repositories to maximize organizational damage and prolong downtime
Testing procedure
How an auditor verifies this control
- Obtain the inventory of all backup systems, repositories, and storage targets including cloud object storage buckets, on-premises backup appliances, tape libraries, and replication targets.
- Review backup architecture documentation and configuration guides to identify which repositories are designated as immutable or WORM-protected.
- Inspect configuration settings for each backup repository to verify that immutability, object lock, or WORM features are enabled with defined retention periods that align with organizational recovery objectives and compliance requirements.
- Select a sample of recent backup jobs across critical systems and validate that backup files or objects are marked as immutable with retention attributes visible in storage metadata or backup catalog properties.
- Attempt to delete or modify a sampled backup object using privileged credentials (in a controlled test environment or via documented previous test results) to verify that the storage layer enforces write-protection and rejects unauthorized changes.
- Review access control policies and role assignments for backup infrastructure to confirm that no service accounts, administrator roles, or automation scripts have permissions to bypass immutability locks or prematurely expire retention settings.
- Examine backup job logs and storage audit logs over the past 90 days for any failed deletion attempts, permission escalation events, or configuration changes to immutability settings, and verify that alerting is configured for such events.
- Validate that immutable backup retention periods meet or exceed organizational data retention policies, regulatory requirements, and the maximum duration needed for forensic analysis following a security incident.
Where this control is tested