Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

11) Does your organisation have a documented Backup Policy?

August 30, 2022
Security Governance
Policies
Backup
Small Framework

Answer yes if your organisation has a documented Backup Policy that has been reviewed in the last year. Please provide the Backup Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

What is it?

A backup policy defines what systems and data should be backed up, and how those backups should be stored, tested, and managed. Backups are essential for recovering from system outages. Such outages can be caused by user error, the need to roll back changes for unexpected reasons, or due to data being compromised or lost as a result of malicious activity.

Why should I have it?

Good backup policies and processes help ensure your business can recover after the loss of systems or data. They also cover how backups should be protected so that the backups themselves don’t become a liability or security risk.

As a supplier, having an effective backup policy reassures clients about your ability to be resilient in the case of unexpected outages, including those caused by cyber attacks. They also provide assurance that eventual copies of their data stored in those backups are also considered and protected.

How to implement the control

Implementing a backup policy requires consideration of what data is stored on which systems, what data and systems are most critical, what approach is to be used, what testing should be performed, and what recovery objectives should be set. Backups can be any combination of complete or incremental copies, individual file shares (or even individual files), data bases, or backups of the entire system. Backups can be stored online, offline in isolation, on premise, or housed by a trusted third party.

It is essential to carefully evaluate your business needs and the pros and cons of the various options before choosing which criteria to place in your backup policy.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.