Are backups isolated from the production network (offline / immutable / separate cloud account)?
Demonstrate that backup repositories are protected from unauthorized modification or deletion by production network threats through verified isolation mechanisms including offline storage, immutability enforcement, or administrative boundary separation.
Description
What this control does
Backup isolation ensures that production backup copies are stored in environments that are logically or physically separated from the primary network and systems they protect. This is achieved through offline storage (air-gapped media), immutable storage configurations (write-once-read-many), or deployment in separate cloud accounts with distinct authentication boundaries. Isolation prevents attackers who compromise production environments from encrypting, deleting, or corrupting backup data, which is critical for recovery from ransomware and destructive attacks.
Control objective
What auditing this proves
Demonstrate that backup repositories are protected from unauthorized modification or deletion by production network threats through verified isolation mechanisms including offline storage, immutability enforcement, or administrative boundary separation.
Associated risks
Risks this control addresses
- Ransomware propagates from compromised production systems to connected backup repositories, encrypting both primary data and backups simultaneously
- Attackers with production network access escalate privileges and delete backup data to prevent recovery and increase ransom leverage
- Malicious insiders or compromised administrator accounts modify or corrupt backup datasets over extended periods before detection
- Automated malware spreads laterally through network-attached backup storage, compromising backup integrity before incident detection
- Cloud account compromise in shared-credential environments allows attackers to destroy backups stored in the same tenant or subscription
- Configuration drift reconnects isolated backups to production networks, exposing them to the same threat landscape as primary systems
- Lack of immutability controls permits unauthorized backup deletion or modification through compromised backup management consoles
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's backup architecture diagram, backup policy documentation, and network segmentation standards that define isolation requirements.
- Identify all backup repositories and storage locations in scope, including on-premises systems, cloud storage services, and offline media libraries.
- For each backup repository, examine network connectivity configurations to verify physical or logical isolation from production networks, including firewall rules, VLAN assignments, and routing tables.
- Review cloud backup configurations to confirm separate account or subscription usage, inspecting IAM boundaries, cross-account access policies, and authentication federation settings.
- Test immutability settings on backup storage by reviewing object lock configurations, retention policies, and WORM settings, and verify that production administrators cannot disable these protections.
- Select a sample of recent backup jobs and trace network paths from production systems to backup destinations, confirming that connection windows are time-limited and credential exposure is minimized.
- Interview backup administrators and review access logs to verify that production system credentials cannot authenticate directly to backup repositories and that separate authentication mechanisms are enforced.
- Simulate a production compromise scenario by reviewing incident response procedures and confirming that backup access requires out-of-band authentication or manual intervention that would survive production credential compromise.