Immutable backups
Demonstrate that backup data is protected by immutability controls that prevent modification or deletion during the defined retention period, ensuring recoverability even in the event of credential compromise or ransomware attack.
Description
What this control does
Immutable backups are write-once-read-many (WORM) backup copies that cannot be altered, encrypted, or deleted by any user or process—including administrators and attackers—for a defined retention period. This is typically implemented using object lock features in cloud storage (e.g., AWS S3 Object Lock, Azure Immutable Blob Storage), dedicated immutable backup appliances, or air-gapped tape libraries. Immutable backups protect against ransomware attacks that attempt to encrypt or delete backup data to force ransom payment, and guard against accidental or malicious data destruction by insiders.
Control objective
What auditing this proves
Demonstrate that backup data is protected by immutability controls that prevent modification or deletion during the defined retention period, ensuring recoverability even in the event of credential compromise or ransomware attack.
Associated risks
Risks this control addresses
- Ransomware operators encrypt or delete standard backups using compromised administrative credentials, eliminating recovery options and forcing ransom payment
- Malicious insiders with elevated privileges intentionally destroy backup data to cover tracks or cause organizational harm
- Compromised backup administrator accounts are used to delete all recovery points prior to deploying destructive malware
- Automated ransomware scripts traverse network shares and connected storage to corrupt backup repositories alongside production data
- Inadequate retention periods allow attackers with persistent access to wait out the immutability window before launching destructive attacks
- Backup data stored in mutable formats is modified by advanced persistent threats to inject backdoors or hide evidence of long-term compromise
- Configuration drift or permission changes inadvertently disable immutability features, leaving backups vulnerable without detection
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review the backup policy documentation specifying immutability requirements, retention periods, and scope of protected systems
- Inventory all backup solutions and storage repositories in use, identifying which systems implement immutability features and which do not
- For cloud-based backup storage, export and review object lock or immutability configuration settings from the storage provider console (e.g., S3 bucket policies with object lock enabled, Azure container immutability policies)
- For on-premises backup appliances, review system configuration screenshots or exported settings showing WORM mode enabled and retention policies configured
- Select a sample of recent backup jobs (minimum 5-10 representing different systems) and verify that each backup set has immutability metadata indicating lock status and expiration date
- Attempt to delete or modify a sample backup object using administrative credentials to verify that the operation is blocked by the immutability control and generates an access-denied error
- Review access logs or audit trails from backup storage systems for the past 90 days to identify any unauthorized deletion attempts or configuration changes to immutability settings
- Validate that monitoring or alerting is configured to detect and notify security teams when immutability configurations are changed or disabled on backup repositories
Where this control is tested