A.8.13 / A.8.14 — Are backups isolated, immutable and tested, with redundancy for critical systems?
Demonstrate that backup infrastructure implements technical isolation and immutability controls, maintains redundant copies for critical systems, and performs validated restoration testing at defined intervals.
Description
What this control does
This control ensures that backup data is protected from ransomware, insider threats, and cascading failures through isolation from production networks, immutability mechanisms (write-once-read-many or append-only storage), and regular recovery testing. Critical systems require redundant backup copies stored in geographically separate locations or media types to prevent single points of failure. The combination of isolation, immutability, and testing validates that recovery objectives can be met even when primary infrastructure is compromised.
Control objective
What auditing this proves
Demonstrate that backup infrastructure implements technical isolation and immutability controls, maintains redundant copies for critical systems, and performs validated restoration testing at defined intervals.
Associated risks
Risks this control addresses
- Ransomware encrypts or deletes backup data accessible via network credentials or administrative sessions
- Insider threat actors with elevated privileges intentionally corrupt or exfiltrate backup repositories before detection
- Logical corruption propagates from production systems to backup storage due to insufficient air-gapping or snapshot intervals
- Backup media degradation or storage system failure renders recovery impossible when redundancy is absent
- Untested backup procedures fail during actual incidents due to configuration drift, missing dependencies, or incompatible restore targets
- Compliance violations and regulatory penalties result from inability to recover audit logs, financial records, or personal data within mandated timeframes
- Business continuity failure when critical system backups are incomplete, outdated beyond RTO/RPO thresholds, or stored in single failure domain
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's backup policy, including defined retention schedules, immutability requirements, redundancy specifications, and testing frequency for each asset classification tier
- Generate an inventory of all backup systems, storage repositories, and associated network segments from asset management or CMDB records, tagging systems classified as critical or high-impact
- Review network architecture diagrams and firewall rulesets to verify backup infrastructure segmentation, confirming that backup networks use separate VLANs, jump hosts, or physically isolated connections preventing lateral movement from production
- Examine backup storage configurations to validate immutability controls such as object lock settings, WORM media usage, air-gapped tape rotation, or snapshot retention policies that prevent modification or deletion within retention windows
- Select a sample of five critical systems and trace their backup jobs through the past 90 days, verifying that redundant copies exist in secondary locations (offsite datacenter, cloud region, or offline media) with documented transport or replication logs
- Request restoration test records for the trailing 12 months, identifying which critical systems underwent full or partial recovery validation, reviewing test plans, actual vs expected RTOs, and remediation of any identified gaps
- Perform a witnessed restoration drill of one sampled critical system component to an isolated test environment, documenting the end-to-end process, recovery time, data integrity verification steps, and any procedural deviations
- Interview backup administrators regarding credential management practices, privilege separation, and procedures for emergency access to immutable storage, validating that privileged accounts require multi-person authorization or breakglass logging