Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

12) Does your organisation's Business Continuity Plan address the backup and restoration of your business data and the data you process for your clients?

January 30, 2023
Business Resilience
DR Site
Disaster Recovery Site

Answer yes if your organisation's Business Continuity Plan includes the required steps to backup and restore the data used by your organisation for day to day operations and the data your clients may have transferred to you for processing, including the outcomes of that processing. This may include defining and agreeing the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for certain services.

Data should be regularly backed up to a safe location and retained for a period of time commensurate with your business needs. If your Business Continuity Plan is invoked, it may be necessary to access and restore that data onto your alternative or restored system infrastructure to maintain business operations.

How to implement the control

Your technology team should conduct a full review of your IT estate to ensure that all systems critical to the operation of your business and the service to your clients have full redundancy. Your Business Continuity Plan should clearly define the steps required to access and restore data, including instructions, responsibilities, and resources and tools required. The plan should ensure that any contractually-committed service levels with your clients are complied with. For example:

  • Recovery Time Objective (RTO): The target time for restoration of services to your client. This will be influenced by, for example, the time needed for infrastructure restoration and the data volume and transfer rates from your chosen backup systems to the restored infrastructure.
  • Recovery Point Objective (RPO): The point in time the backup data represents. This is also considered in terms of the maximum tolerable loss of data between the backup being taken and the incident occurring.

A full data recovery drill should be conducted periodically to ensure that you can effectively restore all of your organisation's critical data within your maximum tolerable business interruption target.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.