How do you implement A.8.13 in Microsoft 365?

A.8.13 Information Backup can be implemented in Microsoft 365 using Microsoft Purview compliance portal (compliance.microsoft.com) > Data lifecycle management > Retention policies. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.8.13?

Auditors verify that A.8.13 Information Backup is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.8.13: Information Backup — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.8.13 Information Backup requires organisations to maintain backup copies of information, software, and systems, testing them regularly in accordance with a topic-specific backup policy. This control protects against data loss from accidental deletion, corruption, or ransomware while ensuring recovery capability with defined RTO/RPO targets. For Microsoft 365 environments, backup is implemented through AvePoint Cloud Backup for Exchange, SharePoint, OneDrive, and Teams data with cloud storage and granular restore capability.

On-premises and Azure infrastructure is protected through Acronis Cyber Protect Cloud with encryption and immutability options.

How to implement in Microsoft 365

Implement A.8.13 by deploying AvePoint Cloud Backup connected to the Microsoft 365 tenant via service principal registration in Entra ID. Configure backup schedules per data classification: every 4 hours for critical business data (4-hour RPO), daily for standard data (24-hour RPO), weekly for archive data. Enable AES-256 encryption at rest and TLS 1.2+ in transit for all backup data.

Configure retention periods aligned with regulatory requirements (default 7 years for AvePoint). For on-premises and Azure infrastructure, deploy Acronis Cyber Protect Cloud with protection plans covering critical servers and Arc-managed VMs. Enable immutable backup copies where supported for ransomware protection.

Establish quarterly restore testing procedures with documented results including system tested, date, success/failure, and RTO achieved. Monitor backup job status daily with email alerts for failures.

What an auditor looks for

Auditors will verify that AvePoint Cloud Backup service principal is registered in Entra ID and shows sign-in activity within the last 30 days, indicating backups are actively running. They will check Azure Backup status for VM protection or alternative backup solution coverage. Auditors will review backup encryption configuration in portal settings.

They will examine quarterly restore test records to verify testing is performed with documented results. Auditors will check backup job monitoring dashboards and alert configurations. They will verify retention policies are aligned with regulatory requirements and that immutability or retention locks are configured where supported.

[A.8.14 (Redundancy of information processing facilities)](/controls/a-8-14 (redundancy of information processing facilities)/)
[A.8.10 (Information deletion)](/controls/a-8-10 (information deletion)/)
[A.5.33 (Protection of records)](/controls/a-5-33 (protection of records)/)
[A.7.5 (Protecting against physical and environmental threats)](/controls/a-7-5 (protecting against physical and environmental threats)/)

M365 capabilities that implement this control

AvePoint Cloud Backup for M365 workloads

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls

M365 capabilities that implement this control