Essential Eight · Control 8
8.Regular Backups
Last reviewed:
Back up important data, test restore processes, and protect backups from ransomware.
Why this mattersUntested backups are not backups. The most common backup failure in Australian incidents is discovering, mid-incident, that nothing has ever been restored from the chosen system.
Maturity-level breakdown
Maturity Level 1
Backups of important data, software, and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. Backups are synchronised to enable restoration to a common point in time. Backups are retained in a secure and resilient manner.
Maturity Level 2
Restoration of important data, software, and configuration settings from backups to a common point in time is tested at least annually. Unprivileged users cannot access backups belonging to other accounts. Unprivileged users cannot modify or delete backups.
Maturity Level 3
Restoration of important data, software, and configuration settings from backups to a common point in time is tested as part of disaster-recovery exercises. Privileged users (except backup administrators) cannot access, modify, or delete backups.
Common gaps we see at ML2 assessments
- Backups never tested for restorability
- No defined RTO/RPO for business-critical systems
- SharePoint/OneDrive recycle bin used as the sole backup strategy