Framework - ISO 27001 (Cyber)

A.8.13 requires organizations to back up information, software, and system images at intervals aligned to business needs, with protection, testing, and documentation sufficient to restore operations reliably. For the exam, emphasize policy-driven schedules by data class, immutable or versioned storage to resist ransomware, off-site or cross-region replication, and encryption with independent key management. Backups must be inventoried, monitored for success, and periodically restored to verify integrity and RTO/RPO claims. Evidence includes job logs, test reports, and chain-of-custody for media where applicable. Pitfalls include untested backups, missing application-consistent snapshots, and credential sharing that lets an attacker erase primary and backup simultaneously. Strong programs isolate backup control planes, use least privilege for backup agents, and practice restores as a routine reliability exercise rather than a rare emergency drill.

A.8.14 complements backups with redundancy of processing facilities so that critical services can continue or be rapidly recovered when primary sites fail. Candidates should relate redundancy patterns—active/active, active/passive, warm/cold standby—to business impact analyses, noting dependencies such as identity, DNS, message queues, and license servers that often block failover. Designs must avoid single points of failure, validate data replication consistency, and include health checks and automated failover where safe. Regular exercises, chaos tests, and capacity proofs ensure that redundant paths actually work under stress and that security is preserved during failover (access controls, keys, monitoring). Common pitfalls are asymmetric configurations between regions, neglected runbooks, and cost optimizations that quietly erode resilience. Together, robust backups and engineered redundancy create layered continuity: one preserves recoverable state, the other preserves service availability. Candidates should be able to present an evidence-driven narrative that these controls meet stated objectives and integrate with incident response, change management, and management review. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.