Forum Discussion
Hi Mike_MYOB
I'd like to address this part of your reply - from my perspective as an Information Security Management Systems auditor -
- Big companies need to have a running backup taken off premises.
- Are you able to share any more supporting information around this? To my knowledge most/all of our competitors don't offer an offline backup, so I would like to take a further look at this mandatory rule and how it applies.
I would assume that MYOB hosting the online backup will be considered a back up that is not held on premise for that business.
- Are you able to share any more supporting information around this? To my knowledge most/all of our competitors don't offer an offline backup, so I would like to take a further look at this mandatory rule and how it applies.
There's an important distinction between offsite and offline backup, and MYOB hosting our backup in the cloud only satisfies the former.
- Offsite just means the data is stored somewhere geographically separate — it protects against a local disaster (fire, flood, hardware failure at our premises).
- Offline (or air-gapped/immutable) means the backup has no live network connection to production systems, so it can't be reached, encrypted, or deleted if ransomware compromises our environment or the platform it's connected to.
MYOB's hosted backup is always-on and logically connected via our authenticated account. If our MYOB access or the platform itself were compromised, that backup is potentially in the blast radius too — it doesn't give us a genuinely isolated recovery point.
This isn't just a nice-to-have. It's a specific, named requirement under the frameworks Australian businesses are increasingly being assessed against:
ISO 27001:2022 — Information Backup — audit guidance under this control treats "backups logically connected to production with no immutable protection" as a fail condition, separate from whether the copy is geographically offsite. Standard guidance explicitly recommends a full backup kept offline (external drive or NAS, disconnected after each run) specifically because "if the drive stays online and accessible, malware can still infect those files."
SMB1001:2026 — backup and recovery is one of five assessed domains, and air-gapped/immutable backup strategies are a named requirement at the higher certification tiers (Gold and above). Relying solely on a vendor's built-in retention isn't treated as an equivalent control.
By removing the ability to take a local/offline backup, MYOB isn't just removing a convenience feature — it's removing our ability to meet a documented control that our clients, insurers, and auditors are actively checking for. "We back it up too" doesn't close that gap, because it's the same connected environment being relied on twice, not an independent recovery point.
Could you clarify whether there's any roadmap to reinstate an offline/exportable backup option, even as a manual or scheduled export rather than a live sync? For businesses pursuing ISO 27001 or SMB1001 certification, this isn't optional.
To this end, we also back up our Microsoft environment, and all other business critical information, with daily immutable backups. And so, I will repeat my earlier point - Relying solely on a vendor's built-in retention isn't treated as an equivalent control.
Hi KatieLee
This is good stuff and just the logical summary needed for the argument to pushed back onto MYOB.
However, there is a slight spoiler to your argument that MYOB will exploit - a big online only accounting software provider does not any ability to back up your data, recover your data, restore your data or do anything that suggests that some sort of back up has been done for businesses using it and their clients (assuming an accounting business has both MYOB and competitor software user clients) - this becomes a huge problem.
We are fully ISO accredited 27001, DOC2, and numerous other ISO accreditation and we use this competing software, (though we are not an accounting firm) but a cloud hosting business specialising in medical practices, but not exclusively.
There seems to be a grey area where, if a back up is not available ( either you don't use this software) or it is risk factor to be managed in the assessment.
The Doc
- KatieLee10 days agoMember
Hey Doc The_Doc
Fair point here, and definitely worth exploring a little further.
ISO 27001 is, as you mentioned, risk-based — it doesn't mandate a specific architecture, so "no offline backup" can sit in a risk register as an accepted risk, if formally assessed with documented rationale and compensating controls.
But I think that strengthens the case against MYOB's actions here.
This isn't a pre-existing gap — it's a control that was withdrawn. Many chose MYOB because local backup existed and was built into the risk treatment plan. Removing it doesn't put MYOB on equal footing with a cloud-only competitor.
That platform also has third-party options — restorable backups via an independent provider — so the risk is mitigated outside the platform itself. MYOB removing local backup with no equivalent third-party path (that I have been able to find, at least) leaves us worse off than the example being used to defend it.
I'd really like you to hear what I'm saying here. And I'd also like you to understand what's actually happening - your customers felt that the offline backup was a huge positive to using MYOB over the competition, and are extremely upset that it has been taken away. And the timing of this change, right before EOFY, was just a terrible, terrible choice on MYOB's behalf, warning or not.
Looking for something else?
Search the Community Forum for answers or find your topic and get the conversation started!
Learn, solve, grow
Level up your skills and find answers across all MYOB products