Doesn't Microsoft 365 already back up everything?

No. Microsoft provides retention, not backup. If a user deletes a file, retention holds it for a configured number of days before it's gone forever. If ransomware encrypts a OneDrive, Microsoft's version history may or may not save you. Real backup means a separate copy held by a separate system, with a separate restore flow, and no reliance on the tenant being healthy.

How often should we test restores?

Quarterly, minimum. Annually isn't enough because by the time you discover the backup is broken, eleven months of changes have gone undetected. Our Technology Success Program includes a documented restore test every quarter. You get the evidence; your auditor gets the evidence.

What's the ransomware angle on backups?

Ransomware now specifically targets backups. If the attacker compromises an account that can delete or encrypt the backups, the whole backup strategy fails at the worst possible moment. ML2 and ML3 require backups to be isolated from privileged accounts; that's a structural architecture choice, not a configuration setting. We build backups that way by default.

How long would it actually take to restore our environment?

For a single user mailbox or OneDrive: minutes to hours. For a full server: hours to a working day, depending on dataset size. For a full tenant rebuild after a catastrophic compromise: days, sometimes a week. We document RTO and RPO targets for each class of data so you have real numbers, not vibes.

Essential Eight · Control 08 of 08

Regular backups

Keeping copies of your important data somewhere safe, and regularly testing that you can actually restore them.

Why this control matters

Ransomware exists. Hardware fails. People make mistakes. A tested backup is the last line of defence, and the one most businesses discover isn't working the day they need it. The 'tested' part is the whole game.

The three maturity levels

Regular backups at Essential Eight ML1, ML2 and ML3.

These are the published ACSC requirements for this specific control at each maturity level. Your overall Essential Eight maturity is scored against your weakest control, not averaged, so a gap here pulls down the whole score.

ML1 The 2026 baseline

Backups of important data, software and configuration settings are performed and retained in accordance with business criticality and continuity requirements. Backups are performed and retained in a coordinated and resilient manner. Restoration from backups is tested.

ML2 Regulated or under audit

Unprivileged accounts can't access backups belonging to other accounts. Unprivileged accounts are prevented from modifying or deleting backups.

ML3 Defence or sensitive

Privileged accounts (other than backup administrators) cannot modify or delete backups. Backup administrator accounts are prevented from accessing backups they administer without the involvement of another privileged account.

Not sure which level you should aim for?

The three-question picker on the Essential Eight hub will point you at the right target based on your regulatory position and the kind of data you hold.

Take the maturity picker

How we run it

The way CCP implements regular backups for clients.

Backups cover Microsoft 365 data (mailboxes, SharePoint, OneDrive, Teams), file servers or NAS, and line-of-business applications. Retention is tiered (daily, weekly, monthly) per criticality. Restores are tested on a quarterly schedule, not once a year: we pick a real file, restore it to a dedicated target, verify the restore works, and document it. Backups are isolated from the account that administers them, so a compromised admin can't destroy the backup while they're encrypting the primary.

Talk to a tech about this control See which plan includes it

Free self-assessment

No email required.

Score yourself on all eight controls, get a branded PDF.

Eight questions, your estimated Essential Eight maturity level, and a branded PDF report you can share with your board, insurer, broker or auditor. Runs entirely in your browser. Nothing is sent to us unless you choose to book a call.

Take the self-assessment

Common questions

What people actually ask about regular backups.

Doesn't Microsoft 365 already back up everything?: No. Microsoft provides retention, not backup. If a user deletes a file, retention holds it for a configured number of days before it's gone forever. If ransomware encrypts a OneDrive, Microsoft's version history may or may not save you. Real backup means a separate copy held by a separate system, with a separate restore flow, and no reliance on the tenant being healthy.
How often should we test restores?: Quarterly, minimum. Annually isn't enough because by the time you discover the backup is broken, eleven months of changes have gone undetected. Our Technology Success Program includes a documented restore test every quarter. You get the evidence; your auditor gets the evidence.
What's the ransomware angle on backups?: Ransomware now specifically targets backups. If the attacker compromises an account that can delete or encrypt the backups, the whole backup strategy fails at the worst possible moment. ML2 and ML3 require backups to be isolated from privileged accounts; that's a structural architecture choice, not a configuration setting. We build backups that way by default.
How long would it actually take to restore our environment?: For a single user mailbox or OneDrive: minutes to hours. For a full server: hours to a working day, depending on dataset size. For a full tenant rebuild after a catastrophic compromise: days, sometimes a week. We document RTO and RPO targets for each class of data so you have real numbers, not vibes.

Related controls

Related Essential Eight controls that work alongside this one.

See all eight

Control 01

Application control

Only letting approved programs run on your computers. Everything else is blocked by default.

Read the control

Control 05

Restrict administrative privileges

Making sure only the people who need admin rights have them, and only when they need them.

Read the control

Control 07

Multi-factor authentication

Requiring something more than a password to log in (a code, a key, an app).

Read the control

These ML1 / ML2 / ML3 summaries distil the ACSC's published Essential Eight Maturity Model. For the full, authoritative text, see the ACSC Essential Eight Maturity Model .

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.