Backup & Recovery
Maintain and test backups of critical data and systems.
9 of 9 frameworks cover this control
Framework Mappings
How Backup & Recovery maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.DS-11 |
| ISO 27001 | Covered | A.8.13 |
| CIS v8 | Covered | CIS 11.1 CIS 11.2 CIS 11.4 |
| SOC 2 | Covered | A1.2 CC7.5 |
| PCI DSS | Covered | 9.4.5.1 |
| CMMC | Covered | RE.L2-3.8.9 |
| 800-53 | Covered | CP-9 CP-10 |
| HIPAA | Covered | §164.308(a)(7)(ii)(A) §164.310(d)(2)(iv) |
| GDPR | Covered | Art.32(1)(c) |
About Backup & Recovery
Backup & Recovery is a cybersecurity control in the Protect domain. Maintain and test backups of critical data and systems. Backup and recovery controls ensure that critical data and system configurations can be restored following ransomware attacks, hardware failures, natural disasters, or accidental deletion. Best practices include following the 3-2-1 backup rule (three copies, two different media types, one offsite), encrypting backup data, testing restoration procedures regularly, and maintaining immutable or air-gapped backups that cannot be modified by attackers. Recovery time objectives (RTO) and recovery point objectives (RPO) should be defined for each critical system and validated through periodic disaster recovery exercises.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.