What is the difference between controls 18.1.3 Protection of archives and 12.3.1 Saving information in the ISO 27002?
I think this:
- 18.1.3 includes only the records corresponding to legal and contractual requirements and 12.3.1 is the backup and recovery of data / systems / services in general.
- So for 12.3.1, I would check if data / applications / systems backup is established, restore procedures established and tested regularly, etc.
- For 18.1.3, I would check if the company can access / post / display records related to laws, contracts, etc.
Correct me if I'm wrong, please.