If your company is aiming for ISO 27001 certification, or looking to maintain it, you need to take a fresh look at how you back up your cloud-based data.
The latest update to the international information security standard, ISO/IEC 27001:2022, brings significant changes. One of the most important updates is the explicit requirement to backup data held in cloud-based platforms not directly managed by the organisation. In other words, your SaaS apps.
What’s New in ISO 27001:2022?
ISO 27001 has long required organisations to have effective backup strategies in place. But in the 2013 version, the language focused mainly on on-premises infrastructure or systems directly under the organisation’s control.
That changed with ISO 27001:2022, and more specifically in Annex A control 8.13 – Information Backup. The updated clause now explicitly includes data stored in cloud-based platforms, such as:
-
Google Workspace
-
Microsoft 365
-
Salesforce
-
GitHub
-
Notion
-
Slack
-
Trello
-
And many others
According to the new guidance:
“Data from cloud-based platforms that are not directly managed by the organisation should be included.”
— ISMS.online – Annex A 8.13
This means your organisation is responsible for backing up SaaS data, even if it lives outside your internal infrastructure.
What Does This Mean for Organisations Seeking ISO 27001?
If you’re in the process of implementing ISO 27001:2022, or planning for recertification, here’s what you need to consider:
-
Identify all business-critical SaaS platforms your team uses.
-
Assess the backup and recovery capabilities provided by the vendors.
-
Implement third-party SaaS backup solutions where the vendor’s offering is insufficient or nonexistent.
-
Document your backup policies and testing procedures as part of your ISMS.
-
Include SaaS data in your business continuity and disaster recovery planning.
How BackupLABS Helps
At BackupLABS, we’re built for exactly this challenge. We provide automated, secure, and compliant backups for cloud apps like:
-
GitHub
-
Notion
- Jira
-
Trello
-
GitLab
If your compliance strategy doesn’t already include a plan for SaaS data protection, now’s the time to act.
Final Thoughts
The ISO 27001:2022 update is a wake-up call for IT managers, compliance officers, and business leaders: cloud-based data is still your responsibility.
If you’re in the process of implementing ISO 27001:2022 or planning for recertification, here’s what you need to consider:
-
Identify all business-critical SaaS platforms your team uses.
-
Assess the backup and recovery capabilities provided by the vendors.
-
Implement third-party SaaS backup solutions where the vendor’s offering is insufficient or nonexistent.
-
Document your backup policies and testing procedures as part of your ISMS.
-
Include SaaS data in your business continuity and disaster recovery planning.
Importantly, ISO27001 auditors will look for evidence that you’re backing up data stored in SaaS and cloud-based platforms. This includes proof that your backups are running regularly, securely stored, tested, and recoverable.
If SaaS data is out of scope in your backup and recovery strategy, your ISO 27001:2022 certification may be at risk.
Whether you’re working toward certification or tightening your risk posture, backing up your SaaS data is no longer optional, it’s essential.
