A.8.13 — Information Backup

Backups ran every night for two years without a single issue. Then ransomware hit. The IT team discovered that backup tapes had never been tested — and the restore failed because the backup software version on the recovery server was incompatible with the tape format. A.8.13 requires tested, documented and protected backup procedures that actually work when you need them.

A backup that has never been tested is a hope, not a control. This control demands that organizations define backup policies, implement them consistently and verify recoverability through regular testing.

What does the standard require?

Define a backup policy. Specify backup frequency, scope, retention period, storage location and protection measures for each system category.
Align with business requirements. Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) drive backup frequency and method.
Encrypt backups. Protect backup data against unauthorized access using encryption.
Store backups offsite. Maintain at least one backup copy at a separate location to survive site-level disasters.
Test restores regularly. Verify that backups can be restored successfully — test the full restore process, measure time and validate data integrity.
Include all critical data. For critical systems, backups must contain everything needed for a complete system recovery.

In practice

Define RPO and RTO per system. Work with business owners to establish acceptable data loss (RPO) and recovery time (RTO). A financial system might need RPO of 1 hour and RTO of 4 hours; a development server might tolerate RPO of 24 hours and RTO of 48 hours.

Implement immutable backups. Modern ransomware targets backup systems. Use immutable storage (WORM — Write Once Read Many) or air-gapped offline backups that cannot be modified or deleted by an attacker who has compromised the production environment.

Automate backup monitoring. Every backup job should be monitored for success or failure. Failed backups must generate immediate alerts. A backup that silently fails for weeks leaves you unprotected.

Schedule restore tests. Put restore tests on the calendar — quarterly for critical systems, annually for everything else. Document the test: what was restored, how long it took, whether data integrity was verified, any issues encountered.

Typical audit evidence

Auditors typically expect the following evidence for A.8.13:

Backup policy — documented strategy including RPO, RTO and retention (see IT Operations Policy in the Starter Kit)
Backup job logs — evidence of successful backup execution
Restore test records — documented test results including timing and data verification
Offsite storage documentation — evidence of offsite or cloud backup storage
Encryption configuration — evidence that backups are encrypted

KPI

Percentage of critical systems with documented backups and tested restore procedures

Measured as a percentage: how many critical systems have both an active backup schedule and a restore test completed within the last 12 months? Target: 100%.

Supplementary KPIs:

Backup success rate over the last 30 days (target: above 99%)
Mean time to restore from backup (compared against RTO targets)
Percentage of backups stored offsite or in immutable storage

BSI IT-Grundschutz

A.8.13 maps to BSI modules for backup and data protection:

CON.3 (Data Backup Concept) — the core module. Requires a documented backup concept defining what is backed up, how often, where and how long backups are retained. Mandates regular restore tests.
CON.1 (Crypto Concept) — encryption requirements for backup data.

A.8.14 — Redundancy of Information Processing Facilities: Redundancy ensures availability during outages; backups enable recovery after data loss.
A.8.10 — Information Deletion: Backup retention must be coordinated with deletion policies.
A.8.24 — Use of Cryptography: Encryption requirements for backup data.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.13 — Information backup
ISO/IEC 27002:2022 Section 8.13 — Implementation guidance for information backup
BSI IT-Grundschutz, CON.3 — Data Backup Concept

Frequently asked questions

How often should we test restore procedures?

At least annually for all critical systems. Quarterly tests are recommended for the most critical data. The test should include a full restore to a separate environment, verifying data integrity and measuring recovery time.

Is cloud data automatically backed up?

Not necessarily. SaaS platforms (Microsoft 365, Google Workspace) have limited built-in retention. A deleted mailbox or SharePoint site may be irrecoverable after 30-90 days. Evaluate your cloud provider's backup capabilities and supplement with third-party backup solutions where needed.

Should backups be encrypted?

Yes. Backup media — whether tapes, disks or cloud storage — often leave the controlled environment. Encryption protects against unauthorized access if backup media are lost, stolen or improperly disposed of.

Responsible	IT Administrator
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Facility Manager, Head of IT, IT Administrator, IT Security Officer, Risk Owner
Informed	Asset Owner, Head of IT, Internal Auditor, Risk Owner