All insights
Security OperationsISO 27001

Retention vs Backup: The Audit Question Most Organisations Answer Incorrectly

Auditors routinely find that organisations conflate retention policies with backup and recovery capability, a misunderstanding that produces material findings under both DORA and ISO 27001. This analysis explains the fundamental distinction, when regulated organisations require both, and what management must evidence to satisfy business continuity and data preservation obligations.

INSIGHTS OF 2026
10 min read
Practitioner Insight

Retention Policies vs Backups: The Distinction Auditors Always Ask About

In every compliance audit involving Microsoft 365, the question arises: "How do you back up your data?" The answer invariably leads to confusion, because the organisation has configured Purview retention policies and believes this constitutes backup. It does not. Retention and backup serve fundamentally different purposes, protect against different risks, and are governed by different compliance requirements. Understanding and articulating this distinction is essential for passing audits and, more importantly, for actual data resilience.

The Fundamental Distinction

Retention answers the question: "Can we prove this data existed and was not tampered with?"

Backup answers the question: "Can we restore this data if it is destroyed?"

These are not the same question, and they require different technical controls.

Microsoft Purview retention preserves data in-place or in a hidden preservation hold library. The data remains within the Microsoft 365 service boundary. If a user deletes an email, retention ensures a copy is preserved for the configured period. If a user modifies a SharePoint document, retention preserves the original version. This is essential for legal holds, regulatory evidence, and eDiscovery.

However, retention does not protect against:

  • Corruption of the Microsoft 365 service itself
  • A ransomware attack that encrypts data faster than versioning can track
  • Malicious administrator action (a compromised Global Admin can modify retention policies)
  • Accidental bulk deletion that exceeds recycle bin capacity
  • Microsoft service outage or data loss event (however rare)

Backup creates a restorable snapshot of data. Microsoft 365 Backup provides point-in-time recovery within the Microsoft 365 data trust boundary using immutable, append-only backup storage characteristics.

Microsoft Purview Retention: How It Works

Purview retention operates through two mechanisms:

Retention labels: Applied to individual items (emails, documents, Teams messages). Labels can be applied manually by users, automatically by auto-labelling policies (based on content patterns or sensitivity information types), or by default (applied to all content in a location).

Navigate to Microsoft Purview > Data lifecycle management > Retention labels to create labels. Key configurations:

  • Retain items for a specific period: 1 year, 3 years, 7 years, or custom. Items cannot be permanently deleted during this period.
  • Delete items after the retention period: Automatically remove items when the retention period expires.
  • Retain and then delete: Preserve for the retention period, then auto-delete. This is the most common pattern for regulatory compliance.
  • Mark items as a record: Prevents modification of the item during the retention period (immutable). Required for legal holds and regulatory record-keeping.

Retention policies: Applied to entire locations (all Exchange mailboxes, all SharePoint sites, all Teams channels). Policies are broader than labels and ensure baseline retention across the tenant.

Navigate to Microsoft Purview > Data lifecycle management > Retention policies to create policies. Target specific workloads:

  • Exchange email: Retain all mailbox content for a minimum period
  • SharePoint sites: Retain all document versions
  • OneDrive accounts: Retain content even after the user's account is deleted
  • Teams channel messages and chats: Retain conversation history
  • Viva Engage: Retain community messages

The critical architecture point: retained data resides within Microsoft 365. It is in the same tenant, the same region, and under the same administrative control as production data. This is by design - it enables eDiscovery and legal hold without moving data to external systems. But it means retained data shares the same threat surface as production data.

Microsoft 365 Backup: The New Native Option

Microsoft 365 Backup (generally available since 2024) provides a first-party backup solution integrated into the M365 admin centre. It creates point-in-time snapshots of Exchange mailboxes, OneDrive accounts, and SharePoint sites that can be restored independently of the production data.

Navigate to Microsoft 365 admin centre > Settings > Microsoft 365 Backup to configure.

Key capabilities:

  • Point-in-time restore: Restore a mailbox, OneDrive, or SharePoint site to any point within the backup retention window
  • Granular restore: Restore individual items (specific emails, files, or folders) without full-site restoration
  • Backup isolation: Backup data is stored separately from production data, with independent access controls
  • Rapid restore: Microsoft claims restoration speeds of up to 1TB per hour for SharePoint

Configuration:

  1. Enable Microsoft 365 Backup in the admin centre
  2. Select backup scope: all users or specific groups
  3. Configure backup frequency: Express (every 10 minutes), Standard (every hour)
  4. Set backup retention: Up to 1 year (configurable)
  5. Assign backup admin roles: Separate from Global Admin to prevent a compromised admin from deleting backups

Limitations to understand:

  • Teams chat backup is not yet supported (as of early 2026) - only Teams files (which are stored in SharePoint) are covered
  • Backup admin and restore operations generate audit log entries
  • Backup does not cover Power Platform, Dynamics 365, or Azure resources - only Exchange, SharePoint, and OneDrive

When You Need Both

For regulated organisations, the answer is almost always "both." Here is why:

Retention satisfies:

  • Legal hold requirements (litigation, regulatory investigation)
  • eDiscovery obligations (producing relevant data in response to legal requests)
  • Record-keeping regulations (financial records retention, healthcare records)
  • Audit trail requirements (proving data was not tampered with during a specific period)

Backup satisfies:

  • Business continuity requirements (restoring operations after a destructive event)
  • Disaster recovery objectives (RPO and RTO commitments)
  • Ransomware recovery (restoring clean data from a point before encryption)
  • Accidental destruction recovery (bulk deletion, misconfigured automation)

Regulatory Requirements

DORA (Digital Operational Resilience Act): Article 11 requires financial entities to maintain ICT backup policies. The backup must support the entity's recovery time objectives and must be regularly tested. Purview retention does not satisfy DORA Article 11, it is not a backup, it is not testable for restoration, and it does not support defined RPO/RTO metrics. Microsoft 365 Backup, combined with documented RPO/RTO and tested restoration procedures, addresses DORA requirements.

ISO 27001 A.8.13 (Information Backup): The control requires that backup copies of information, software, and system images are taken and tested regularly in accordance with the backup policy. Key word: "copies." Retention does not create copies - it preserves originals. A backup that creates independent, restorable copies is required for A.8.13 conformity.

GDPR Article 32(1)(c): Requires "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident." Retention preserves data but does not provide restoration capability for bulk incidents. Backup provides the restoration mechanism.

NIS2 Article 21(2)(c): Requires "business continuity and crisis management," including backup management. Again, backup - not retention - is the control that satisfies this requirement.

The Auditor Conversation

When an auditor asks "How do you back up Microsoft 365?", the correct answer structure is:

  1. Retention: "We have Purview retention policies that preserve all Exchange, SharePoint, OneDrive, and Teams data for [X] years. This ensures data availability for legal holds and eDiscovery. Here is the policy configuration and the compliance report showing retention coverage across all workloads."

  2. Backup: "We additionally use Microsoft 365 Backup, which creates independent, restorable snapshots on [frequency] schedule with [retention period] retention. We test restoration quarterly - here is the latest test report showing RPO achieved [X minutes] and RTO achieved [X hours]."

  3. Distinction: "We recognise that retention and backup serve different purposes. Retention ensures data immutability for regulatory compliance. Backup ensures recoverability for business continuity. Both are required, and we maintain both."

This answer demonstrates maturity and will satisfy auditors across ISO 27001, SOC 2, DORA, and NIS2 frameworks. The organisations that conflate retention with backup are the organisations that receive audit findings - and, in a worst-case scenario, discover the gap during an actual incident when restoration is needed and retention alone cannot provide it.

Facing this in your environment?

We implement and operate these exact controls inside Microsoft 365 tenants. Find the right first step for your situation.

Explore Readiness Sprint
PreviousIncident Response Governance: Building the Evidence Chain Regulators RequireNext Workload Identity Governance: The Over-Permissioned Attack Surface Boards Have Not Assessed

More in Security Operations

Zero Trust

Shadow IT Exposure: Quantifying the Unsanctioned Application Risk for Board Reporting

10 min readISO 27001

Token Theft Detection: The MFA Bypass Attack That Boards Must Account For

12 min readISO 27001

Incident Response Governance: Building the Evidence Chain Regulators Require

13 min read