ISO 27001:2022 Annex A 8.13 is a corrective control that ensures that risks are maintained by implementing policies that enable timely recovery from loss of data and/or interruptions in systems.
It is imperative that an organisation’s backup operation includes a wide range of efforts that improve resilience and protect against business loss by setting up a robust and tightly managed set of backup jobs, with adequate retention levels and agreed-upon recovery times, using dedicated software and utilities.
Annex A 8.13 advocates for topic-specific backup approaches that include bespoke processes for each topic and take into account the types of data (and risk levels) that organisations process and access.
ISO 27001:2022 Annex A 8.13 outlines how technical support staff involved in maintaining an organisation’s network should handle daily backup operations.
Therefore, Annex A 8.13 should be owned by the person in charge of the organisation’s day-to-day ICT operations or the person who oversees an outsourced ICT contract.
It is essential for organisations to draft topic-specific policies that specifically address how they protect their network’s relevant areas.
All business-critical data, software, and systems should have backup facilities in place to ensure they can be recovered following the below events:
Backup plans created in accordance with Annex A 8.13 should aim to:
ISO 27001:2022 Annex A 8.13 replaces ISO 27001:2013 Annex A 12.3.1 (Information backup).
Annex A 8.13 maintains the same operational standards as its 2013 counterpart, with additional guidance in the following areas:
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Organisational Controls | Annex A 5.1 | Annex A 5.1.1 Annex A 5.1.2 | Policies for Information Security |
Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
Organisational Controls | Annex A 5.8 | Annex A 6.1.5 Annex A 14.1.1 | Information Security in Project Management |
Organisational Controls | Annex A 5.9 | Annex A 8.1.1 Annex A 8.1.2 | Inventory of Information and Other Associated Assets |
Organisational Controls | Annex A 5.10 | Annex A 8.1.3 Annex A 8.2.3 | Acceptable Use of Information and Other Associated Assets |
Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
Organisational Controls | Annex A 5.14 | Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 | Information Transfer |
Organisational Controls | Annex A 5.15 | Annex A 9.1.1 Annex A 9.1.2 | Access Control |
Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
Organisational Controls | Annex A 5.17 | Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 | Authentication Information |
Organisational Controls | Annex A 5.18 | Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 | Access Rights |
Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
Organisational Controls | Annex A 5.22 | Annex A 15.2.1 Annex A 15.2.2 | Monitoring, Review and Change Management of Supplier Services |
Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
Organisational Controls | Annex A 5.29 | Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 | Information Security During Disruption |
Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
Organisational Controls | Annex A 5.31 | Annex A 18.1.1 Annex A 18.1.5 | Legal, Statutory, Regulatory and Contractual Requirements |
Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
Organisational Controls | Annex A 5.36 | Annex A 18.2.2 Annex A 18.2.3 | Compliance With Policies, Rules and Standards for Information Security |
Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
People Controls | Annex A 6.8 | Annex A 16.1.2 Annex A 16.1.3 | Information Security Event Reporting |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
Physical Controls | Annex A 7.2 | Annex A 11.1.2 Annex A 11.1.6 | Physical Entry |
Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
Physical Controls | Annex A 7.10 | Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 | Storage Media |
Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
---|---|---|---|
Technological Controls | Annex A 8.1 | Annex A 6.2.1 Annex A 11.2.8 | User Endpoint Devices |
Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
Technological Controls | Annex A 8.8 | Annex A 12.6.1 Annex A 18.2.3 | Management of Technical Vulnerabilities |
Technological Controls | Annex A 8.9 | NEW | Configuration Management |
Technological Controls | Annex A 8.10 | NEW | Information Deletion |
Technological Controls | Annex A 8.11 | NEW | Data Masking |
Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
Technological Controls | Annex A 8.15 | Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 | Logging |
Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility Programs |
Technological Controls | Annex A 8.19 | Annex A 12.5.1 Annex A 12.6.2 | Installation of Software on Operational Systems |
Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
Technological Controls | Annex A 8.23 | NEW | Web filtering |
Technological Controls | Annex A 8.24 | Annex A 10.1.1 Annex A 10.1.2 | Use of Cryptography |
Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
Technological Controls | Annex A 8.26 | Annex A 14.1.2 Annex A 14.1.3 | Application Security Requirements |
Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering Principles |
Technological Controls | Annex A 8.28 | NEW | Secure Coding |
Technological Controls | Annex A 8.29 | Annex A 14.2.8 Annex A 14.2.9 | Security Testing in Development and Acceptance |
Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
Technological Controls | Annex A 8.31 | Annex A 12.1.4 Annex A 14.2.6 | Separation of Development, Test and Production Environments |
Technological Controls | Annex A 8.32 | Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 | Change Management |
Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
ISMS.online provides a management dashboard, reports, and audit logs to help you demonstrate compliance with ISO 27001 standards.
Our cloud-based platform features include the following:
ISMS.online has all of these features and more. Get in touch today to book a short demo.
We felt like we had
the best of both worlds. We were
able to use our
existing processes,
& the Adopt, Adapt
content gave us new
depth to our ISMS.