If your company is aiming for ISO 27001 certification—or looking to maintain it—you need to take a fresh look at how you back up your cloud-based data.
The latest update to the international information security standard, ISO/IEC 27001:2022, brings significant changes. One of the most important updates is the explicit requirement to backup data held in cloud-based platforms not directly managed by the organisation—in other words, your SaaS apps.
What’s New in ISO 27001:2022?
ISO 27001 has long required organisations to have effective backup strategies in place. But in the 2013 version, the language focused mainly on on-premises infrastructure or systems directly under the organisation’s control.
That changed with ISO 27001:2022, and more specifically in Annex A control 8.13 – Information Backup. The updated clause now explicitly includes data stored in cloud-based platforms, such as:
-
Google Workspace
-
Microsoft 365
-
Salesforce
-
GitHub
-
Notion
-
Slack
-
Trello
-
And many others
According to the new guidance:
“Data from cloud-based platforms that are not directly managed by the organisation should be included.”
— ISMS.online – Annex A 8.13
This means your organisation is responsible for backing up SaaS data, even if it lives outside your internal infrastructure.
Why This Matters
Many companies assume that SaaS providers handle backups—but that’s only partially true. While vendors like Google or Microsoft do have some redundancy and retention, they are not responsible for your data protection, compliance, or accidental deletions.
SaaS app providers adhere to the Shared Responbilty Model. This means that they look after their servers, network and application. However, the responsibility of the data, your data, remains with you. Data loss risks occur in many forms:
-
Accidental deletion by users is common.
-
Insider threats or misconfigurations can lead to data loss.
-
Limited retention policies can mean permanently lost data after 30–90 days.
-
Regulatory requirements (like GDPR, ISO 27001, SOC2, DORA and others) expect you to maintain availability and integrity of business-critical information.
With ISO 27001:2022, this is no longer a grey area — SaaS backups are a compliance requirement.
What Does This Mean for Organisations Seeking ISO 27001?
If you’re in the process of implementing ISO 27001:2022—or planning for recertification—here’s what you need to consider:
-
Identify all business-critical SaaS platforms your team uses.
-
Assess the backup and recovery capabilities provided by the vendors.
-
Implement third-party SaaS backup solutions where the vendor’s offering is insufficient or nonexistent.
-
Document your backup policies and testing procedures as part of your ISMS.
-
Include SaaS data in your business continuity and disaster recovery planning.
How BackupLABS Helps
At BackupLABS, we’re built for exactly this challenge. We provide automated, secure, and compliant backups for cloud apps like:
-
GitHub
-
Notion
- Jira
-
Trello
-
GitLab
If your compliance strategy doesn’t already include a plan for SaaS data protection, now’s the time to act.
Final Thoughts
The ISO 27001:2022 update is a wake-up call for IT managers, compliance officers, and business leaders: cloud-based data is still your responsibility.
If you’re in the process of implementing ISO 27001:2022—or planning for recertification—here’s what you need to consider:
-
Identify all business-critical SaaS platforms your team uses.
-
Assess the backup and recovery capabilities provided by the vendors.
-
Implement third-party SaaS backup solutions where the vendor’s offering is insufficient or nonexistent.
-
Document your backup policies and testing procedures as part of your ISMS.
-
Include SaaS data in your business continuity and disaster recovery planning.
🔍 Importantly, ISO27001 auditors will look for evidence that you’re backing up data stored in SaaS and cloud-based platforms. This includes proof that your backups are running regularly, securely stored, tested, and recoverable.
If SaaS data is out of scope in your backup and recovery strategy, your ISO 27001:2022 certification may be at risk.
Whether you’re working toward certification or tightening your risk posture, backing up your SaaS data is no longer optional—it’s essential.
