Home / ISO 27001 Templates / ISO 27001 Backup Policy Beginner’s Guide

ISO 27001 Backup Policy Beginner’s Guide

Last updated Aug 5, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

When the unimaginable happens and you are hit with a ransomeware attack, a system outage or someone deletes that crucial file, then having a backup is going to be crucial. I often think about all my cherished photos and family memories and what I would do if I lost them. As they are so important to me I make sure they are backed up and that same should go for business data.

I have seen the situation where a business does not have a backup and was unable to recover when disaster struck. What is worse than that is the business that thought it had a backup and when the time came to use it, because it was never tested, it did not work.

The ISO 27001 Backup policy sets out the clear guidelines for how you manage backups and ensures that everyone knows what must be done so that when the worst does happen, it is not the end of the world.

I will show you what a backup policy is and then using real world experience show you how you can write a practical policy yourself or use the ISO 27001 backup policy template I created.

ISO 27001 Backup Policy
What is a data backup?
Defining backup
Backup and restoration procedures
Backup Encryption
Backup Frequency
Roles and Responsibilities
Access Controls
Backup Testing
Common Backup Policy Mistakes and How To Avoid Them
How to write an ISO 27001 Backup Policy
ISO 27001 Backup Policy Example
ISO 27001 Backup Policy Template
What ever you do, back up your data
ISO 27001 Backup Policy FAQ

ISO 27001 Backup Policy

Let’s dig a little deeper on what the policy actually is before I show you how to write a practical backup policy you can use for your ISO 27001 certification.

In basic terms, an ISO 27001 Backup Policy is designed to protect you from the loss of data or the corruption of data due to malware and ransomeware.

It sets out the approach to backups and ensures that adequate processes and procedures are in place. It also ensures that there is regular testing of the backup so that you can be sure that when the time comes and if you need it, you can recover it.

It is one of the ISO 27001 policies required by the ISO 27001 standard for ISO 27001 certification and is explicitly referenced in ISO 27001 Annex A 8.13 Information Backup.

Get the ISO 27001 Certification Kit >

What is a data backup?

Data backup is the process of taking an exact copy of the data at a point in time so that if you need to restore it you can restore it and return to it as it was at that point in time.

Defining backup

The backup should be defined. You want to know what you are backing up and how often. Backup is not just of data files but consider the backup of system configuration files, virtual machines, databases, websites, photographs – in fact anything that you rely on or would harm you if you no longer had it. When deciding how often to backup it is a question of how much update and changes can you accept to loose? If you only backup once a week then you potentially have a week of data that will be missing and may need recreating. Can you accept loosing a weeks worth of data? Based on circumstance, but the more often you can backup, the better.

Backup and restoration procedures

It is important to have documented processes and procedures for backing up and restoring data. Having documented processes enables us to ensure the control is in place and effective. You need the knowledge to be written down so that if, and when, the time comes, if the person that normally performs the backup and restoration is not available you can still recover.

Backup Encryption

Should backup be encrypted? Yes. Most definitely. Backup is one of the weakest areas for security control. It maybe that it is held on removable media, offsite, in a remote location. There are many variables that can present a risk to backup. To mitigate that risk you want to encrypt our backup so that if the backup is compromised it is to all intents and purposes, worthless. The easiest way to do this is using vendor built in encryption, which they will provide by default. For more details on encryption see the guide to ISO 27001 Use of Cryptography: Annex A 8.24.

Backup Frequency

There are things that you can do that will help you to identify what kind of a backup you should be doing around that data. A great tip is to conduct a business impact analysis. This will identify the key systems and key data for your organisation, and it will include working out what is the longest time that you can go without data and what is the last recovery point in terms of time that you can afford to lose.

If you’re only backing up once a week then you have to consider that potentially you will lose up to six days’ worth of information. If you’re backing up every day then you’re going to potentially lose up to 23 hours of new data.

A common example of backup frequency:

Take daily backups are keep them for 7 days.
Take weekly backups and keep them for 28 days.
Take monthly backups are keep them for 12 months.
Take annual backups and keep them for 7 years.

Roles and Responsibilities

It is best practice to assign roles and responsibilities for backups. This way we can ensure that everything gets done and we know who is doing it. Typical roles and responsibilities for backups include:

Backup Management – responsible for ensuring that backup is working as intended
Alert and Monitoring – responsible for the monitoring of the backup and alerting if something goes wrong
Incident Management – responsible for responding to incidents that require the use of backups or problem’s with the backups themselvesBackup Testing and Verification – responsible for testing the backup and verifying that it works as intended

Access Controls

You need to consider access controls to backups. These are direct copies of your information and therefore you want ensure that adequate access controls are in place. There will be access to the back up files, potentially to the backup media and the location where the backups are stored. If you have backup encryption in place then this will mitigate the risk but you should then consider the access to the encryption keys and how they are managed. ISO 27001 Information Access Restriction: Annex A 8.3 gives guidance on access restrictions that can apply to backups.

For key management you will rely on ISO 27001 Use of Cryptography: Annex A 8.24 which provides more details on cryptography.

Backup Testing

Backups need to be tested and this will form part of the ISO 27001 certification audit and a key part of what the auditor will check. The testing can be a partial restore or a full restore, based on business need and risk and is usually conduct in a test environment. This way, the production environment is not put at risk.

As part of the testing you will include user verification that the test has worked and that the recovery is as was intended.

You will keep documentary evidence of the test and the test results and any continual improvements that arose.

Common Backup Policy Mistakes and How To Avoid Them

The single biggest mistake people make for the backup policy is not addressing data protection requirements. Specifically here we reference the requirements of the GDPR but it applies equally to other data protection laws and regulations. The problem comes as backups of data are still data and therefore covered. This applies to requirements on data retention and most overlooked are data subject’s rights to be forgotten. You will need to think carefully about how you address removing data from backups when legally required to do so.

How to write an ISO 27001 Backup Policy

Time needed: 4 hours

How to write a backup policy

Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
Document the purpose of the ISO 27001 Backup Policy
The purpose of the backup policy is to protect against loss of data and enable recovery from loss of data or systems.
Set out the principle on which the ISO 27001 Backup Policy is based
The principle of the backup policy is that information is backed up securely in line with the:
• data retention requirements,
• business requirements,
• business continuity requirements and plans,
• business impact assessments, and
• legal and all legal and regulation legislation requirements.
Define the ISO 27001 Backup Policy Scope
The scope of the backup policy is a description of what is covered by the policy. A common scope example of the backup policy is organisation owned, managed and controlled information and systems that form part of systems and applications deemed in scope by the ISO 27001 scope statement including:
• Servers
• Databases
• Code Repositories
• Test Environments
• Development Environments
Set out the approach to backup restoration procedures
An example is that backup and restoration procedures are documented, in place and maintained.
Explain the backup security controls
Set out the security controls that you have in place to protect the backups. Common examples of security controls include:
• Backups are encrypted using vendor built in encryption.
• Backups are stored in cloud-based solutions that as a minimum are ISO 27001 certified.
Where backup is to physical media
• The media is encrypted
• The media is labelled and stored securely on site with restricted, authorisation required perimeter access control.
• The media is transferred by and approved third party secure courier and stored in a remote secure location.
Set out the backup schedule
You will define the frequency of your backups and an example of backup schedule, retention schedule and testing schedule:
• Daily backups are maintained for 7 days.
• Weekly backups are maintained for 28 days.
• Monthly backups are maintained for 12 months.
Explain the approach to backup testing and verification
To ensure that backups can be used when they are needed and that they will work as intended you will explain how you do testing and verify that it worked. An example of this would be:
• Backups of systems are tested at least annually to ensure they can be relied upon in an emergency and meet the needs of the business continuity plans and business requirements.
• Backup logs are produced and checked for errors and performance at least weekly. Where errors are found corrective action is taken.
• Backup testing log reviews are recorded.

ISO 27001 Backup Policy Example

An example of a real world ISO 27001 Backup policy:

ISO 27001 Backup Policy Template

Taking years of experience I create the ISO 27001 Backup Policy Template as a real world practical template that takes the requirements of the standard and industry best practice. It is included in the ISO 27001 toolkit but you can download it standalone here.

Download Backup Policy Template

What ever you do, back up your data

I think it’s fair to say that data is our most important asset.

Let’s be honest we have so much of it. In our personal lives we’re creating data daily in photographs and posts and emails and then in business we have all that valuable customer data, intellectual property coma even the emails and communications that we send.

Every piece of data that we have has a value.

The question that we always ask ourselves is – what if I lost this data?

It doesn’t really become a problem until the fateful day comes when you do lose the data and suddenly your entire world collapses.

I’ve been in information security now for over 30 years and with all the changes that have come there are still only a handful of things that we recommend that people do, not matter what. Pretty near the top of that list is ensuring that you back up our data.

Information security is about the confidentiality, integrity, and availability of data. That third tenant availability is so often overlooked.

Nearly all the information security standards from ISO 27001 to SOC 2 will have a requirement for backing up data and ensuring the security of that backup.

So, my top tips when it comes to backing up data are

Have a back up policy
Identify the information that is the most important to you
Ensure that that data is adequately backed up

ISO 27001 Backup Policy FAQ

How often should I perform a backup?

As often is required. The requirement is based on the risk associated with the loss of the data. To understand this structurally you would perform a business impact assessment and record what is the maximum amount of data you are prepared to loose. Factors such as costs, losses, effort to recreate data come in to play. For most people a daily backup would suffice.

How long should I keep backups?

For as long as is necessary. You define this based on the usefulness of the data and legal and regulatory factors. Having a set of back ups that cover the last 12 months for most people would suffice.

What is the best strategy for a backup?

Usually having a daily backup, the last 7 days backed up, the last month backed up and the last year backed up in a rolling backup strategy.

Should I encrypt backups?

Yes.

Tags: ISO 27001 Policy Templates

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Jumpstart Kit

ISO 27001 Consultant Toolkit

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.