Relevance of Offsite backups process compliance and ISO 27001 certification.



My company is ISO 27001:2013 certified. It has multiple facilities across cities within the same country. Backups and business continuity related controls are applicable and all centers are within scope. Yet one of the centers did not have offsite backups. Separate offsite backup media were maintained but there was no real offsite location identified (Due to certain administrative issues). Media were all just kept at onsite itself (In a fire proof vault), waiting to be transferred to offsite location once it would be identified, which never happened for a long time and even when ISO 27001 certification audit happened there.

The center got certified for ISO 27001 and this gap did not reflect in the audit report as Non Conformity (Neither Major nor Minor).

Can an organization get ISO 27001 certified (Assuming it displays compliance with all other requirements) if it fails to maintain offsite backups for one of its center under the scope, when business continuity & backup related controls are applicable?

I am just trying to understand the Lead Auditor perspective behind not identifying this gap as a major NC.
Elsmar Forum Sponsor


As such I was not the risk owner, however the risks involved that I am aware of are non availability of backup due to Fire, Natural Calamity etc, when one needs to make alternate arrangements for business continuity.
Business continuity has been identified as a required control in the SOA.


You have a backup process in place but saving it in offsite location or in cloud alone is not there. I understand your concern during Fire or natural calamity.

If the business owner want to accept this risk with some future action plan in place, then I don't think this will be a problem.
Thread starter Similar threads Forum Replies Date
Sidney Vianna ISO 9001 - Its Relevance and Impact in Asian Developing Economies ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 0
V Relevance of Process Based Auditing (PEAR) to regulated industry. US Food and Drug Administration (FDA) 3
V Relevance of Self Managed Teams (SMTs) in Regulated Industries Human Factors and Ergonomics in Engineering 5
D Real Life Testing related to Relevance or Quantification of Test Duration Inspection, Prints (Drawings), Testing, Sampling and Related Topics 2
R ISO Audit Relevance Questions - Equipment Operators ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
V Relevance of FMEA in Process Development [Pharma] FMEA and Control Plans 1
R Standard Relevance & Updating - ASME B&PVC Various Other Specifications, Standards, and related Requirements 4
L Practical Ideas for TS - Personel are aware of the relevance and importance.. Training - Internal, External, Online and Distance Learning 5
D Offsite storage of QMS documents ISO 13485:2016 - Medical Device Quality Management Systems 9
P Company Conducted Internal Audit Offsite using a Document Review Process Internal Auditing 65
S Offsite PPAP Training - Comprehensive course in the Michigan/Ohio area Training - Internal, External, Online and Distance Learning 2
Q Offsite ISO TS 16949 Internal Audit Training - Pacific Northwest including California Training - Internal, External, Online and Distance Learning 4
S TS 16949 certification and recently purchased offsite laboratory IATF 16949 - Automotive Quality Systems Standard 7
P Testing cloud-based backups IT (Information Technology) Service Management 7
M FDA or CE requirements for periodic checks of data backups and retrievals EU Medical Device Regulations 4
A Are CNC Program Backups Required by TS 16949? IATF 16949 - Automotive Quality Systems Standard 3

Similar threads

Top Bottom