Tier-1 systems backed up daily
Demonstrate that all systems classified as Tier-1 undergo daily automated backup operations that complete successfully and produce restorable backup sets.
Description
What this control does
This control ensures that systems designated as Tier-1 (typically mission-critical production systems, customer-facing services, or systems containing sensitive data) undergo automated backup operations at least once every 24 hours. Backups must complete successfully, be stored in accordance with data classification requirements, and be verifiable for restoration purposes. This control is fundamental to business continuity and disaster recovery capabilities, as daily backups minimize potential data loss to a maximum of one business day's transactions in the event of system failure, ransomware attack, or data corruption.
Control objective
What auditing this proves
Demonstrate that all systems classified as Tier-1 undergo daily automated backup operations that complete successfully and produce restorable backup sets.
Associated risks
Risks this control addresses
- Ransomware encryption of production systems without recent clean backup copies, forcing payment or permanent data loss
- Hardware failure or storage corruption resulting in loss of multiple days or weeks of critical business data and transactions
- Insider threat or malicious deletion of production data without point-in-time recovery capability
- Extended recovery time objectives (RTO) exceeding business requirements due to outdated or incomplete backup sets
- Regulatory non-compliance and potential fines due to inability to restore customer data or audit trails within mandated timeframes
- Cascading business disruption when downstream systems cannot synchronize with restored data due to excessive temporal gaps
- Legal liability from loss of electronic records required for litigation hold or regulatory investigation
Testing procedure
How an auditor verifies this control
- Obtain the organization's current Tier-1 system inventory or classification register identifying all systems subject to daily backup requirements.
- Review the backup policy documentation to confirm daily backup frequency requirements and success criteria for Tier-1 systems.
- Access the backup management console or centralized monitoring platform and export the backup schedule configuration for all Tier-1 systems.
- Select a representative sample of Tier-1 systems spanning different platforms, data types, and business functions (minimum 10 systems or 20% of population, whichever is greater).
- For each sampled system, extract backup job logs covering the most recent 30-day period, noting job execution times, completion status, data volumes, and any reported errors.
- Verify that each sampled system shows backup jobs executed within every consecutive 24-hour period without gaps exceeding one calendar day.
- Review automated alerting configurations to confirm that backup failures for Tier-1 systems trigger immediate notifications to operations or infrastructure teams.
- Request evidence of at least one restore test performed within the past 90 days for a sampled Tier-1 system to validate backup integrity and recoverability.
Where this control is tested