ISO 27001 Backup Evidence: Proving Backup & Integrity Controls

Introduction: auditors want evidence, not assurances

When an auditor reviews your backup and integrity controls for ISO 27001, the question is rarely "do you take backups?" — almost everyone says yes. The real question is sharper: can you prove it? Saying that backups run nightly, or that data is protected from tampering, is an assurance. An assurance is not evidence. What stands up in an audit is an objective artefact: a log that a backup actually completed, a record of a restore that was tested, and proof that a restored or stored file is bit-for-bit identical to the original. This article looks at what ISO 27001 backup evidence really means, which control areas it touches, and how signed integrity certificates from e-Dex (formerly Hash Calculator) help you turn assurances into verifiable facts — entirely offline.

Which Annex A control areas relate to backup and information integrity

ISO 27001 sets out an information security management system, and its Annex A control areas (drawn from ISO 27002) cover several themes that bear directly on backup and integrity. In general terms, there are control areas dealing with information backup — expecting backups to be taken, protected and, importantly, tested — and control areas dealing with logging and monitoring, so that activity can be recorded and reviewed. Alongside these sit controls concerned with protecting the integrity of information as it is processed, stored and transferred, so that unauthorised or accidental changes can be detected. We describe these as broad control areas attributed to ISO 27001 rather than making clause-by-clause legal claims: the exact controls that apply to your organisation are defined by your Statement of Applicability and your certification body. The point is that "we have backups" is only the start; the standard's spirit is that controls should be demonstrable.

What evidence actually demonstrates the controls

Strong audit evidence has a consistent shape: it is recorded, dated, and independently checkable. For backup and integrity controls, three kinds of evidence carry weight. First, tested restores — not just that a backup exists, but that data was actually recovered from it and verified. Second, integrity proof — cryptographic confirmation that a file has not changed since it was recorded, so you can show that what came out of a backup is exactly what went in. Third, signed certificates that capture both of the above in a tamper-evident document, so the artefact itself cannot be quietly edited after the fact. Together these move you from "trust us" to "here is the proof," which is precisely the posture auditors reward.

How to produce that evidence with hashing and certificates

A cryptographic hash is a fixed-length fingerprint of a file's contents; change a single byte and the fingerprint changes completely. The workflow is simple. When data is first backed up, hash the source files with e-Dex and keep the values. Later — on a schedule, or during a restore test — restore the data and hash it again. e-Dex recomputes the hashes, compares them against the recorded values, and prints a plain MATCH or MISMATCH verdict, with an overall result across the whole set. It computes several algorithms per file (MD5, SHA-1, SHA-256, SHA-512 and BLAKE3) so the proof is robust and matches whatever value you originally stored. The output is a readable certificate you can file as evidence. For the anatomy of that document, see our guide to the audit evidence certificate.

Map integrity certificates to your audit needs

The value of a certificate is in how cleanly it answers an auditor's question. A restore-test certificate with a MATCH verdict demonstrates that recovered data is identical to source, supporting backup-testing expectations. A periodic integrity certificate over stored archives shows that retained information has not drifted, supporting integrity-of-information expectations. A compliance verification certificate bundles these checks into a dated, signed record you can hand straight to a reviewer. Each artefact maps to a specific control concern, so instead of narrating your process you can point to a document that proves it — and keep the set in your audit file for the next surveillance visit.

Offline, signed and time-stamped

e-Dex generates every certificate fully offline on your own Windows machine, so backup data and evidence files never leave your environment — a useful property when the data itself is sensitive. Where you need extra assurance, you can apply a PAdES digital signature with a Digital Signature Certificate on a USB token, binding the signer's identity to the document so any later edit is detectable, and attach an RFC-3161 trusted timestamp that seals the exact time the certificate was produced. Only the timestamp step needs the internet; everything else runs locally on a single machine.

A note on scope: e-Dex supports the evidence, it does not certify ISO 27001

It is worth being precise. e-Dex supports your evidence; it does not certify ISO 27001 compliance, and it is not a certification body or an auditor. Certification against ISO 27001 is granted only by an accredited certification body after a formal audit of your management system. What e-Dex provides is one concrete category of supporting evidence — signed, verifiable file-integrity certificates — that you can present within your own ISMS. Treat it as a tool that strengthens your evidence base, not as a compliance verdict, and let your auditor and Statement of Applicability decide how each artefact fits.

Frequently Asked Questions

What counts as ISO 27001 backup evidence in an audit?
Auditors look for objective records, not verbal assurances. For backup and integrity controls that typically means evidence of tested restores, logs or schedules showing backups actually ran, and integrity proof that a restored or stored file is identical to the original. A signed integrity certificate that records cryptographic hashes and a MATCH or MISMATCH verdict is one concrete artefact that supports this, because it captures a verifiable fact at a point in time rather than a claim.

Which Annex A control areas relate to backup and information integrity?
ISO 27001 (and its Annex A controls drawn from ISO 27002) includes control areas covering information backup, logging and monitoring, and protecting the integrity of information during processing, storage and transfer. Backup-related controls expect backups to be taken, protected and tested, while integrity-related controls expect organisations to detect unauthorised or accidental changes to information. We describe these as general control areas and do not make clause-by-clause legal claims; your certification body and Statement of Applicability define exactly which controls apply to you.

Does e-Dex certify ISO 27001 compliance?
No. e-Dex does not certify, audit or attest ISO 27001 compliance, and it is not a certification body. It is an offline Windows tool that produces signed file-integrity certificates which you can use as supporting evidence within your own ISMS. Certification against ISO 27001 is granted by an accredited certification body after a formal audit; e-Dex simply helps you generate one type of evidence that an auditor may wish to review.

How do integrity certificates support tested restore evidence?
When you restore data from a backup as part of a restore test, you can hash the restored files with e-Dex and compare them against hashes recorded when the data was first backed up. A MATCH verdict on a signed certificate demonstrates the restored copy is bit-for-bit identical to the source, turning a restore test into documented, verifiable proof rather than a checkbox. You can keep the certificate as a dated artefact for the audit file.

Does e-Dex need internet access to produce backup integrity evidence?
No. e-Dex runs fully offline on your own Windows machine. Hashing files, comparing them against recorded values and generating the signed integrity certificate all happen locally, so backup data and evidence files never leave your environment. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

Conclusion

ISO 27001 backup evidence is not a story you tell an auditor — it is a set of records that prove your controls work. Tested restores, integrity proof and signed certificates turn "we have backups" into a fact a reviewer can check independently. e-Dex helps you produce that evidence offline, on a single Windows machine, and it does so as a supporting tool — not as a substitute for certification. Learn how signed integrity certificates fit your control evidence on our file-integrity compliance page, or download e-Dex free and start building an audit file that proves itself.