Backups stored off-site / off-account
Demonstrate that backup data is stored in a location or account logically and physically separated from production systems such that a single incident cannot compromise both.
Description
What this control does
This control requires that backup data be stored in a physically separate location or logically isolated account from the primary production environment. Off-site storage protects against facility-level disasters (fire, flood, natural disasters), while off-account storage protects against cloud account compromise, ransomware lateral movement, and administrative errors that could affect both production and backup systems. The separation must be sufficient to prevent a single incident from destroying both production data and its backups simultaneously.
Control objective
What auditing this proves
Demonstrate that backup data is stored in a location or account logically and physically separated from production systems such that a single incident cannot compromise both.
Associated risks
Risks this control addresses
- Ransomware encrypting both production systems and co-located backups, rendering recovery impossible
- Physical disaster (fire, flood, earthquake) destroying on-premises production and backup infrastructure simultaneously
- Cloud account compromise allowing attacker to delete production data and same-account backups in a coordinated attack
- Insider threat actor with production access deleting or corrupting backups stored in the same environment
- Data center power or cooling failure affecting both production and locally-stored backup systems
- Regional infrastructure outage impacting cloud availability zones where both production and backups reside
- Regulatory non-compliance resulting in fines or sanctions for failure to maintain geographically diverse backups
Testing procedure
How an auditor verifies this control
- Obtain the organization's documented backup storage architecture and disaster recovery plan identifying off-site or off-account storage locations.
- Inventory all critical systems and data repositories requiring backup protection per the organization's data classification policy.
- Review backup configuration settings for a sample of critical systems to identify the destination storage location, account, subscription, or physical facility.
- Verify that backup destinations are geographically separate from production facilities or logically isolated in separate cloud accounts, tenants, or subscriptions with distinct authentication boundaries.
- Test access controls on backup storage to confirm production-level credentials cannot directly access or delete off-site backup repositories.
- Examine backup job logs from the past 30 days to confirm successful transmission and storage of data to the off-site or off-account location.
- Request evidence of a recent backup restoration test from the off-site location to validate that backups are retrievable and usable.
- Review incident response and disaster recovery procedures to confirm documented processes for accessing and restoring from off-site backups in the event of primary site compromise or loss.
Where this control is tested