← Controls / CP

CP-09 Information System Backup

Contingency Planning

Low Moderate High

Description

The organization conducts backups of user-level and system-level information (including system state information) contained in the information system [Assignment: organization-defined frequency] and protects backup information at the storage location.

Supplemental Guidance

The frequency of information system backups and the transfer rate of backup information to alternate storage sites (if so designated) are consistent with the organization’s recovery time objectives and recovery point objectives. While integrity and availability are the primary concerns for system backup information, protecting backup information from unauthorized disclosure is also an important consideration depending on the type of information residing on the backup media and the FIPS 199 impact level. An organizational assessment of risk guides the use of encryption for backup information. The protection of system backup information while in transit is beyond the scope of this control. Related security controls: MP-04, MP-05.

Changes from Rev 4

Title changed from 'Information System Backup' Parameter added for conducting backups of user-level information contained in specific system components Removes restrictive control text ‘at storage locations’ Discussion expanded

MITRE ATT&CK Techniques (22)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Defense Evasion 4 Credential Access 2 Collection 3 Impact 13

Compliance Mappings

ISO 27001:2022

A.5.29A.5.30A.8.13

ISO 27002:2022

5.295.308.13

COBIT 2019

DSS04

CIS Controls v8

CIS 11CIS 11.1CIS 11.2CIS 11.3CIS 11.4CIS 11.5

NIST CSF 2.0

PR.DS-11PR.IR-03RC.RP-03

SOC 2 TSC

A1.2CC7.5

CSA CCM v4

BCR-08CCC-09CEK-18CEK-20

CSA AICM v1

BCR-08CCC-09CEK-18CEK-20

FINOS CCC

CCC-C13

ISO 42001:2023

A.4.3

IEC 62443

3-3 SR 7.3

NIS2 Directive

Art. 21(2)(c)

MAS TRM

8

ASD Essential Eight

E8-8E8-8 ML1E8-8 ML2E8-8 ML3

BSI IT-Grundschutz

CON.3DER.4

ANSSI

Hygiene.30SecNumCloud.13.5

FINMA Circular 2023/1

IV.D(82)IV.E(89)IV.E(90)IV.E(91)

OSFI B-13

B-13.2.6

EU GDPR

Art.32(1)(c)

EU DORA

Art.12(1)Art.12(2)Art.12(3)Art.12(5)

BIO2

5.295.308.13

RBI CSF

ITGRCA.29

FISC Security Guidelines

FISC.O5

LGPD + BCB 4893

BCB.Art.3

HKMA TM-E-1

TME1.6.5

MLPS 2.0

8.1.10.98.1.4.98.2

DNB Good Practice

DNB.11.3DNB.11.4

EU CRA

CRA.I.2h

SWIFT CSCF

SWIFT.6.3

NCA ECC

2-93-13-2

UAE IA

T12T7

CBB TM

TM-14

Qatar NIA

BCOS

CBUAE

CR-13

CBE CSF

OVM-2

SA JS2

JS2-7.5

CBN CSF

Part3.6Part3.7

BoG CISD

CISD-BCM

POPIA

s19

BoM CTRM

5.2

IOSCO Cyber Resilience

PFMI-17RR-2RR-3TEST-5

CPMI-IOSCO PFMI

CG.RRPFMI.P17

NYDFS 500

500.16

HIPAA Security Rule

§164.308(a)(7)(i)§164.308(a)(7)(ii)(A)§164.310(d)(2)(iv)

ECB CROE

CROE.2.5.2

EBA ICT Guidelines

3.7.2

SEBI CSCRF

BCP-DRRC.RP

BOT Cyber Resilience

Ch4.2

CMMC 2.0

MP

NERC CIP

CIP-009-6

10 CFR 73.54

RG5.71-B-CP

DOE C2M2 v2.1

RESPONSE

API 1164

Sec 11

IAEA NSS 17-T

Sec 8

ISAE 3402

Clause 4

Solvency II

DR.266-BCPEIOPA-ICT-4.10

Lloyd's Minimum Standards

MS8.6

NAIC Insurance Data Security

4F-b

PRA SS1/23

P-IT.3

FCA SYSC 13

SYSC 13.8.1SYSC 13.8.2

HITRUST CSF v11

09.d12.b

FDA 21 CFR Part 11

§11.10(b)§11.10(c)

FDA Cybersecurity Guidance

SA-6

ISO 27799

12.317.2

NHS DSPT

NDG-7.2NDG-7.3

CCSS v9.0

1.03.21.03.31.03.41.03.7

MiCA

Art.68(5)Art.62(5)Art.62(6)Art.47(1)

Basel SCO60

SCO60.21SCO60.23SCO60.53SCO60.63SCO60.65

BSSC Standards

NOS-07KMS-10GSP-06

SEC Custody (Digital Assets)

SEC-CD-06SEC-CD-12

ISO 17799 (legacy)

10.5.111.7.1

COBIT 4.1 (legacy)

DS4.2DS4.9DS11.5