Artikel | 13. February 2026
ISO 27001 and Data Backup: What Control 8.13 Concretely Demands
1. What Is ISO/IEC 27001 and What Changed in 2022? #
ISO/IEC 27001 is an internationally recognised standard for Information Security Management Systems (ISMS). It specifies how organisations systematically identify, assess, and treat information security risks. Certification is carried out by accredited certification bodies; accreditation is handled by the national accreditation body of each country (in Germany, for example, DAkkS).
The current version ISO/IEC 27001:2022 replaces the previous 2013 version. The most significant content change concerns Annex A: the controls were consolidated from 114 to 93 and structured into four thematic areas:
- 5. Organisational controls: policies, roles, supplier relationships
- 6. People controls: employee awareness, training, background checks
- 7. Physical controls: physical access security, device disposal
- 8. Technological controls: access control, encryption, backup, monitoring
Backup and archiving are anchored in area 8 (technological controls). Organisations with an existing 2013 certification had to transition to the 2022 version by October 2025; the 2013 version is no longer valid for certification.
Certification Cycle #
- Initial certification by an accredited certification body
- Annual surveillance audits
- Full recertification every 3 years
2. The Backup-Relevant Controls in Detail #
ISO/IEC 27001:2022 contains several controls that directly or indirectly relate to backup and archiving. The most important ones:
Control 8.13 “Information backup” #
Control 8.13 is the core of the backup requirements. It requires that backup copies of information, software, and systems are created, regularly tested, and retained in accordance with a backup policy.
Specifically, Control 8.13 requires:
- A documented backup policy specifying scope, frequency, retention periods, and storage locations
- Regular tests of restorability (restore tests) that are documented
- Protection of backup data against unauthorised access and manipulation
- Retention of offline copies or offsite copies for critical data
- Consideration of retention periods arising from legal or regulatory requirements
A common error in practice: backup processes have been running for years, but restore tests are missing or not documented. Control 8.13 is unambiguous on this point. Restorability must be demonstrated, not just the execution of the backup.
Control 8.10 “Information deletion” #
Control 8.10 governs the deletion of information after its retention period has expired. This expressly applies to backup copies as well. Retaining personal data in backups longer than necessary simultaneously violates .
For backup architecture, this means: retention periods must be defined per data category and technically enforceable. Systems that do not support granular expiry management make compliance considerably more difficult.
Control 8.12 “Data leakage prevention” #
Backup data is a preferred target for data leaks because it is often less strictly secured than production systems. Control 8.12 requires measures that prevent unauthorised disclosure of information. This expressly includes backup environments.
Encryption of backup data (at rest and in transit) and access logging are typical measures that auditors check here.
Control 5.29 “Information security during disruption” #
Control 5.29 establishes the connection to business continuity. Information security must be maintained even in disruption situations. For this, backup and recovery plans must not only exist but must also be tested and integrated into existing .
3. What Auditors Actually Check During ISO 27001 Audits #
Auditors follow a predictable audit logic for backup controls. Knowing what is checked enables targeted preparation.
The Five Central Audit Points #
1. Backup policy present and current? The policy must be documented, approved, and known to the relevant employees. A policy from 2018 that has never been updated is an immediate finding.
2. Restore tests documented? Auditors typically require evidence of the most recent restore tests: date, tested systems, result, responsible person. If this documentation is missing, it is a Major Nonconformity.
3. Backup data encrypted? Both local and external backup copies. With unencrypted backup media leaving the building, a finding is almost certain.
4. Offline copies for critical data? Control 8.13 explicitly requires offline or offsite copies for critical systems. Purely network-based backup environments without a physically separated copy are considered insufficient for critical data.
5. Access controls on backup systems? Who is authorised to create, change, or delete backups? Auditors check whether the four-eyes principle applies and whether activities are logged.
Typical Finding Categories #
- Major Nonconformity (certification at risk): for example, no documented restore tests for over 12 months
- Minor Nonconformity (corrective action required): for example, backup policy not formally approved
- Observation (improvement recommendation): for example, restore tests not conducted for all critical systems
4. ISO 27001: On-Premises vs. Cloud in the Backup Environment #
ISO/IEC 27001 does not prescribe any technology. The standard is technology-neutral. Nevertheless, the choice between on-premises backup and cloud backup has significant implications for audit documentation.
Controllability and Audit Documentation #
On-premises environments provide full control over configuration, access logging, and encryption. All documentation required for the audit can be exported directly from your own systems. No dependency on an external provider’s support process, no questions about data storage in third countries.
With cloud-based backup solutions, a division of responsibility arises. The cloud provider is responsible for the infrastructure, the customer for the configuration. In this case, auditors also check the supplier relationship (Control 5.19 ff.) and require corresponding contractual evidence.
Shared Responsibility in the Audit Context #
- Encryption documentation: on-premises directly from your own system; cloud from provider statements or configuration exports
- Access logging: on-premises fully self-controlled; cloud dependent on provider APIs and logs
- Geo-redundancy and offsite copies: on-premises requires your own planning; cloud often integrated, but still subject to documentation
- Data deletion (Control 8.10): on-premises fully controllable; cloud dependent on provider guarantees
- Third-country legal access (for example the ): on-premises not relevant; cloud must be assessed and documented
Cloud backup is possible under ISO 27001 but requires more documentation effort around the supplier relationship and risk treatment. For many organisations, particularly in the public sector and regulated industries, on-premises is the more straightforward choice for audit documentation, and the sounder primary strategy for critical data.
5. FAST LTA and ISO 27001: How Silent Bricks and Silent Cubes Support the Controls #
FAST LTA offers two product systems that make concrete technical contributions to fulfilling the backup-relevant ISO 27001 controls.
Silent Brick System and Control 8.13 #
The Silent Brick System is a modular on-premises secondary storage system for backup. It supports all common backup protocols (NFS, SMB, S3, iSCSI, VTL) and is compatible with Veeam, Commvault, Veritas, and other leading backup solutions.
Two specific properties are relevant for Control 8.13:
: the Silent Brick System provides software-independent immutability. Backup data cannot be modified or deleted after writing as long as the protection period is active. This applies regardless of which backup software is used, and protects even when backup software credentials are compromised.
Air gap in two variants:
- Silent Brick Pro: the storage module is physically removable from the slot of the Controller X. When removed, there is complete network separation. Reactivation always requires manual intervention. This corresponds to what Control 8.13 means by an offline copy for critical data.
- Silent Brick Max Air: galvanic separation of the built-in storage media while the device remains installed. The separation is lifted either manually via a button on the device or automatically after a defined time (air gap mode, for example for media rotation). Two units in rotation enable fully automated air gap strategies without manual media changes.
Both variants can be combined and operated in parallel with immutability.
Silent Cubes and Controls 8.13 / 8.10 #
Silent Cubes are a appliance for audit-proof long-term archiving. Hardware means: immutability is enforced at firmware level, not through a software policy. No administrator and no attacker can subsequently modify or delete stored data.
Relevant for ISO 27001:
- Control 8.13: Silent Cubes structurally fulfil the requirement for protection against unauthorised access and manipulation. The immutability is not a configurable feature that can be reversed.
- Control 8.10: retention periods are defined and enforced at system level. Deletion is possible after the period expires, not before.
- Integrity verification: Silent Cubes perform automatic integrity checks on stored data, which technically supports the requirement for restore verification.
Both systems are on-premises appliances without cloud dependency, developed, manufactured, and supported in Germany.
6. ISO 27001 in Conjunction with NIS2, DORA, and National Frameworks #
ISO 27001 does not stand alone. Organisations that must fulfil or requirements find substantial content overlaps with ISO 27001. When set up correctly, no duplicate work arises.
ISO 27001 and NIS2 #
The (Directive (EU) 2022/2555) obliges essential and important entities to implement risk management and incident handling measures. Backup management and disaster recovery are explicitly listed in Art. 21 as mandatory measures.
An existing ISO 27001 certification structurally covers the majority of the requirements. Controls 8.13 (backup) and 5.29 (business continuity) in particular map directly onto the requirements for data backup and recovery. Registration, reporting deadlines, and national specifics must still be addressed separately.
ISO 27001 and DORA #
The (Regulation (EU) 2022/2554) has applied since 17 January 2025 to financial entities and their ICT third-party providers. requires an explicit ICT risk management framework that includes backup and recovery capabilities.
ISO 27001 provides the formal framework for risk management. Organisations already certified have the structural foundation for compliance. The backup-specific requirements (RTO/RPO definitions, tests, isolation of backup environments) can be implemented as a concretisation of Control 8.13.
National Frameworks: BSI IT-Grundschutz as a German Example #
Several member states maintain national security frameworks alongside ISO 27001. In Germany, for example, is designed for mutual conformity with ISO 27001: certifications are based on ISO 27001, and module CON.3 (data backup concept) corresponds substantially to Control 8.13. Organisations working with such national frameworks can derive their backup concept directly from the ISO 27001 documentation, and vice versa.
CTA #
Are you working toward ISO 27001 certification or preparing for a surveillance audit?
The requirements for data backup are technically solvable. What matters is that the chosen infrastructure supports the necessary documentation: immutability, air gap, restore tests, access logging.
Silent Brick System in Detail | Silent Cubes in Detail | Request a Demo
Summary #
ISO/IEC 27001:2022 sets concrete, verifiable requirements for backup and archiving. Control 8.13 requires not just the existence of backups, but documented restore tests, a current backup policy, encryption, and offline copies for critical data.
Auditors check these points consistently. Organisations that have built their backup infrastructure with compliance in mind pass audits without surprises. Those that treat backup as a purely technical task regularly encounter Major Nonconformities around missing restore documentation and insufficient offline copies.
On-premises systems with hardware-level immutability and physical air gap capability structurally cover the core requirements of Control 8.13. They also simplify audit documentation because all relevant configuration evidence comes from your own environment.
Further Resources #
→ Guide (/en/blog/it-resilienz-leitfaden/) → and : What the Directive Requires (/en/blog/nis2-it-resilienz-anforderungen/) → Requirements for the Financial Sector (/en/blog/dora-anforderungen-finanzsektor/) → The 3-2-1-1-0 Backup Strategy (/en/blog/3-2-1-1-0-backup-strategie/) → Silent Brick System: Backup with and (/en/produkte/silent-brick-system/) → Silent Cubes: Hardware for Long-Term Archiving (/en/produkte/silent-cubes/)
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
Business Continuity Management
Business Continuity Management (BCM) is the organizational framework that ensures critical business processes can be maintained or restored within defined timeframes even during severe IT failures, cyber attacks or other crises.
Immutable Storage
Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
IT Resilience
IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained.
IT Resilience
IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained.
Immutable Storage
Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).
Air Gap
An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
US CLOUD Act
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU.
US CLOUD Act
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU.