CIS Control 11.2: Perform Automated Backups
Automated backups are your safety net against data loss, ransomware, and system failures. CIS Control 11.2 requires weekly or more frequent backups based on data sensitivity—a foundational practice that separates prepared organizations from vulnerable ones. Without it, you're gambling with business continuity.
What this means
CIS Control 11.2 mandates that organizations automatically back up all in-scope enterprise assets on a scheduled basis. The minimum frequency is weekly, but assets containing sensitive data should be backed up more often—daily or even hourly depending on criticality. This control ensures you can recover from data loss, corruption, or malicious deletion without relying on manual intervention or hoping backups exist.
How to comply
- 1.Identify all in-scope assets storing business-critical or sensitive data
- 2.Classify assets by data sensitivity to determine backup frequency (weekly minimum, daily/hourly for high-sensitivity)
- 3.Deploy automated backup solutions across infrastructure, applications, and endpoints
- 4.Configure backups to run on schedule without manual trigger or intervention
- 5.Test backup restoration regularly (at least quarterly) to verify integrity
- 6.Ensure backups are stored separately from primary systems (offsite or isolated storage)
- 7.Document backup procedures, retention policies, and recovery time objectives (RTO)
- 8.Monitor backup job completion and alert on failures
Evidence auditors look for
- Automated backup job logs showing weekly or more frequent execution timestamps
- Backup software configuration screenshots displaying scheduled, recurring backup tasks
- Backup storage inventory documenting retention policies and offsite storage location
- Successful restoration test reports with dates and recovery confirmation
- Monitoring dashboards or alerts showing backup job status and failure notifications
- Asset classification document linking data sensitivity to backup frequency
- Backup policy documentation including RTO/RPO targets and frequency justification
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates backup scheduling validation and restoration testing evidence collection, eliminating manual backup log audits and turning compliance checks into scheduled workflow tasks.
See how GRCWatch handles this control automatically
Start free trial