Offline / immutable backups + quarterly restore test
Demonstrate that the organization maintains ransomware-resistant backup copies isolated from production systems and validates their recoverability through documented quarterly restoration exercises.
Description
What this control does
This control requires organizations to maintain backup copies that are either physically disconnected from production networks (offline) or stored in write-once-read-many (WORM) formats that prevent modification or deletion (immutable). These backups are protected from ransomware, insider threats, and automated deletion cascades. A formal quarterly restore test process validates recoverability by attempting to restore data from these protected backups to a test environment, measuring success rate, recovery time, and data integrity to ensure business continuity capabilities remain functional.
Control objective
What auditing this proves
Demonstrate that the organization maintains ransomware-resistant backup copies isolated from production systems and validates their recoverability through documented quarterly restoration exercises.
Associated risks
Risks this control addresses
- Ransomware encrypts production systems and simultaneously destroys or encrypts online backups through lateral movement, rendering recovery impossible
- Insider threat actors with privileged access delete or corrupt backup repositories to cover tracks or cause operational damage
- Automated deletion scripts or misconfigurations propagate to connected backup storage, eliminating recovery points
- Backups fail to restore due to undetected corruption, incompatible versioning, or incomplete data capture discovered only during actual disaster scenarios
- Restoration procedures become outdated as infrastructure evolves, resulting in extended downtime when recovery is attempted under crisis conditions
- Backup media degrades over time without verification, causing silent data loss that renders archives unusable when needed
- Cloud-based backup systems remain API-connected to production accounts, allowing attackers with compromised credentials to delete backup versions
Testing procedure
How an auditor verifies this control
- Obtain and review the backup policy document defining offline/immutable requirements, isolation methods, retention schedules, and quarterly testing procedures
- Request an inventory of all backup systems, repositories, and media designated as offline or immutable, including technology type (tape, air-gapped storage, S3 Object Lock, etc.)
- Verify configuration exports or technical documentation confirming immutability settings (WORM enabled, Object Lock retention periods, write-blocking hardware) for each designated backup repository
- Select a random sample of three quarterly restore test reports from the past 12 months and review for completeness: date performed, systems tested, data scope, success metrics, recovery time, issues identified, and resolution
- Interview backup administrators to confirm the physical or logical isolation mechanism: validate that offline backups are disconnected after writes complete or that immutable backups cannot be modified via production network access
- Observe a live restoration exercise or review video/screenshot evidence of the most recent quarterly test showing backup media retrieval, restore initiation, data validation, and success confirmation
- Cross-reference the backup inventory against disaster recovery plans and critical system asset lists to confirm that all mission-critical systems are included in offline/immutable backup scope
- Review access control logs or change management records for backup systems over the past quarter to confirm no unauthorized modifications to immutability settings or retention policies occurred
Where this control is tested