What the auditor wants to verify
Audit objective
Verify that backups of information, software, and systems are maintained, protected, and regularly tested according to backup policy and recovery needs.
Evidence to request
| Evidence | Purpose |
|---|---|
| Backup policy and schedule | Shows rules and frequency are defined |
| Backup scope/register | Shows critical assets are included |
| Backup job logs | Shows backups run and failures are visible |
| Restore test records | Shows recovery works |
| Backup encryption/access records | Shows backup data is protected |
| Off-site/immutable storage evidence | Shows backups can survive local incidents |
| Archive recovery evidence | Shows long-term records remain readable |
| Corrective action records | Shows backup failures are addressed |
Strong evidence
- Backup scope maps to critical information, systems, and software.
- Frequency aligns with risk and continuity requirements.
- Restore tests are documented and successful.
- Backup failures are investigated.
- Backup data is encrypted or access-controlled.
- Long-term archives remain recoverable.
Weak evidence
- Backup job success is shown but no restore testing exists.
- Critical systems are missing from backup scope.
- Backups are stored beside original systems.
- Backups are not protected like original data.
- Archive media/software/key dependencies are unknown.
Sample interview questions
- What is included in backup scope?
- How often are backups made?
- How do you know restores work?
- What happens if a backup job fails?
- Where are backups stored and how are they protected?
- How do you recover long-term archives?
Common nonconformities
- No restore test evidence.
- Backup scope incomplete.
- Backup failures not acted on.
- Backups not encrypted or access-controlled.
- Long-term archives unreadable.
- Backup arrangements do not match continuity requirements.
Related notes
- Audit
- Evidence
- A8 13
- Iso27001
Note Metadata
Aliases: A.8.13 Evidence
Source: 04 Audit Evidence Packs/A.8.13 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.13 - Information Backup
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.13 Information Backup
- A.8.13 Audit Checklist
- Backup and Restore Test Record
- Backup Policy and Schedule
- Backup Scope and Coverage Register
- Long-Term Archive Recoverability Checklist
- Audit Evidence Index