Are important business files (cloud + local) backed up?
Demonstrate that important business files across cloud and local environments are identified, backed up according to defined schedules and retention policies, and that backups are tested for successful restoration.
Description
What this control does
This control ensures that critical business data stored in both cloud platforms (SaaS, IaaS, PaaS) and on-premises or local endpoints is systematically backed up to enable recovery in the event of ransomware, hardware failure, accidental deletion, or disaster. It requires identification of what constitutes 'important' data, defined backup frequency and retention policies, automated backup execution, and periodic restoration testing. Effective backup practices form the foundation of business continuity and cyber resilience, particularly against destructive malware and insider threats.
Control objective
What auditing this proves
Demonstrate that important business files across cloud and local environments are identified, backed up according to defined schedules and retention policies, and that backups are tested for successful restoration.
Associated risks
Risks this control addresses
- Permanent loss of critical business data due to ransomware encryption without recoverable backups
- Inability to restore operations after catastrophic hardware failure, natural disaster, or datacenter outage
- Loss of intellectual property, financial records, or customer data following accidental deletion or malicious insider activity
- Regulatory non-compliance due to inability to produce required records following data loss incidents
- Extended downtime and revenue loss when backup systems fail or backups are found to be corrupted during emergency restoration attempts
- Incomplete or inconsistent backups due to unidentified critical data repositories or shadow IT cloud services
- Backup compromise through attacker lateral movement to backup infrastructure, preventing clean recovery from known-good state
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data classification and criticality inventory to identify which business files are classified as important or critical for backup.
- Retrieve the current backup policy documentation, including defined Recovery Point Objectives (RPO), Recovery Time Objectives (RTO), retention schedules, and scope of coverage for cloud and local environments.
- Enumerate all backup solutions in use (cloud-native tools, third-party agents, local backup appliances) and obtain configuration exports showing backup job definitions, schedules, and included/excluded paths.
- Select a representative sample of important business files from both cloud repositories (e.g., SharePoint, Google Drive, Salesforce) and local systems (file servers, databases, endpoint laptops) and verify each is covered by an active backup job.
- Review backup job execution logs for the past 90 days to identify failures, incomplete runs, or jobs consistently skipping files due to locks or permissions issues.
- Request evidence of backup restoration tests performed within the past 12 months, including test plans, actual restored data samples, validation results, and time-to-restore measurements.
- Verify that backup storage is logically or physically separated from production environments and protected by distinct access controls to prevent simultaneous compromise.
- Confirm that backup integrity mechanisms (checksums, encryption validation, immutability features) are enabled and review evidence of automated integrity verification for stored backups.