ISO 27001 Backup Policy: How to Write (& Template)

Home / ISO 27001 Templates / ISO 27001 Backup Policy: How to Write (& Template)

ISO 27001 Backup Policy

In this guide, you will learn what an ISO 27001 backup policy is, how to write it yourself and I give you a template you can download and use right away.

What is an ISO 27001 Backup Policy?

An ISO 27001 Backup Policy is designed to protect you from the loss of data or the corruption of data due to malware and ransomeware.

It sets out the organisations approach to backups and ensures that adequate processes and procedures are in place as well as regular testing of the backup so that we can be sure that when the time comes and if we need it, we can recover it.

It is one of the ISO 27001 policies required by the ISO 27001 standard for ISO 27001 certification and is explicitly referenced in ISO 27001 Annex A 8.13 Information Backup.

How to write an ISO 27001 Backup Policy

Time needed: 4 hours

How to write a backup policy

  1. Create your version control and document mark-up

    ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

  2. Write the ISO 27001 Back Up Policy Contents Page

    Document Version Control
    Document Contents Page
    Backup Policy
    Purpose
    Scope
    Principle
    Backup Restoration Procedures
    Backup Security
    Backup Schedule
    Backup Testing and Verification
    Policy Compliance
    Compliance Measurement
    Exceptions
    Non-Compliance
    Continual Improvement

  3. Write the ISO 27001 Back Up Policy Purpose

    The purpose of this policy is to protect against loss of data and enable recovery from loss of data or systems.

  4. Write ISO 27001 Back Up Policy Principle

    Information is backed up securely in line with the:
    data retention requirements
    business requirements
    business continuity requirements and plans
    business impact assessment
    legal and all legal and regulation legislation requirements is backed up securely in line with the data retention requirements, business requirements and legal and all legal and regulation legislation requirements including but not limited to the GDPR and Data Protection Act 2018.

  5. Write the ISO 27001 Back Up Policy Scope

    Company owned, managed and controlled information and systems that form part of systems and applications deemed in scope by the ISO 27001 scope statement including:
    • Servers
    • Databases
    • Code Repositories
    • Test Environments
    • Development Environments
    Out of scope for back up:
    • Desktop
    • Laptop
    • Mobile Device

  6. Write the content for the required sections

    Backup Restoration Procedures
    Backup Security
    Backup Schedule
    Backup Testing and Verification
    Policy Compliance
    Compliance Measurement
    Exceptions
    Non-Compliance
    Continual Improvement

  7. Set out the approach to backup restoration procedures

    Backup and restoration procedures are documented, in place and maintained.

  8. Explain the backup security controls

    Backups are encrypted using vendor built in encryption.
    Backups are stored in cloud-based solutions that as a minimum are ISO 27001 certified.
    Where backup is to physical media
    The media is encrypted
    The media is labelled and stored securely on site with restricted, authorisation required perimeter access control.
    The media is transferred by and approved third party secure courier and stored in a remote secure location.

  9. Set out the backup schedule

    A backup schedule, retention schedule and testing schedule are available and summarised as:
    Daily back-ups are maintained for 7 days.
    Weekly back-ups are maintained for 28 days.
    Monthly back-ups are maintained for 12 months.

  10. Explain the approach to backup testing and verification

    Backups of systems are tested at least annually to ensure they can be relied upon in an emergency and meet the needs of the business continuity plans and business requirements.
    Backup logs are produced and checked for errors and performance at least weekly. Where errors are found corrective action is taken.
    Backup testing log reviews are recorded.

ISO 27001 Certification Strategy Session

ISO 27001 Backup Policy Template

The ISO 27001 Back Up Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

ISO 27001 Backup Policy Template

What is a data backup

Data backup is the process of taking an exact copy of the data at a point in time so that if you need to restore it you can restore it and return to it as it was at that point in time.

Defining backup

The backup should be defined. We want to know what we are backing up and how often. Backup is not just of data files but consider the backup of system configuration files, virtual machines, databases, websites, photographs – in fact anything that you rely on or would harm you if you no longer had it. When deciding how often to backup it is a question of how much update and changes can you accept to loose? If you only back up once a week then you potentially have a week of data that will be missing and may need recreating. Can you accept loosing a weeks worth of data? Based on circumstance, but the more often you can backup, the better.

Backup and restoration

It is important to have documented processes and procedures for backing up and restoring data. Having documented processes enables us to ensure the control is in place and effective. We want and need the knowledge to be written down so that if when the time comes, if the person that normally performs the backup and restoration is not available we can still recover.

Encrypted backup

Should backup be encrypted? Yes. Most definitely. Backup is one of the weakest areas for security control. It maybe that it is held on removable media, offsite, in a remote location. There are many variables that can present a risk to backup. To mitigate that risk we want to encrypt our backup so that if the backup is compromised it is to all intents and purposes, worthless.

Backup policy

The purpose of the backup policy is to protect against loss of data. Information is backed up securely in line with the data retention requirements, business requirements and legal and all legal and regulation legislation requirements including but not limited to the GDPR and Data Protection Act 2018. Backup and restoration procedures are documented, in place and maintained. Backups are encrypted using vendor built in encryption.

In the process documents and in the processes we ensure that the backups are tested regularly to ensure they are effective.

What ever you do, back up your data

I think it’s fair to say that data is our most important asset.

Let’s be honest we have so much of it. In our personal lives we’re creating data daily in photographs and posts and emails and then in business we have all that valuable customer data, intellectual property coma even the emails and communications that we send.

Every piece of data that we have has a value.

The question that we always ask ourselves is – what if I lost this data?

It doesn’t really become a problem until the fateful day comes when you do lose the data and suddenly your entire world collapses.

I’ve been in information security now for over 20 years and with all the changes that have come there are still only a handful of things that we recommend that people do, not matter what. Pretty near the top of that list is ensuring that we back up our data.

Information security is about the confidentiality, integrity, and availability of data. That third tenant availability is so often overlooked.

Nearly all the information security standards from ISO 27001 to SOC 2 will have a requirement for backing up data and ensuring the security of that backup.

So, my top tips when it comes to backing up data are

  • Have a back up policy
  • Identify the information that is the most important to you
  • Ensure that that data is adequately backed up

There are things that you can do that will help you to identify what kind of a backup you should be doing around that data. A great tip is to conduct a business impact analysis. This will identify the key systems and key data for your organisation, and it will include working out what is the longest time that you can go without data and what is the last recovery point in terms of time that you can afford to lose.

If you’re only backing up once a week then you have to consider that potentially you will lose up to six days’ worth of information. If you’re backing up every day then you’re going to potentially lose up to 23 hours of new data.

ISO 27001 Backup Policy FAQ

How often should I perform a backup?

As often is required. The requirement is based on the risk associated with the loss of the data. To understand this structurally you would perform a business impact assessment and record what is the maximum amount of data you are prepared to loose. Factors such as costs, losses, effort to recreate data come in to play. For most people a daily backup would suffice.

How long should I keep backups?

For as long as is necessary. You define this based on the usefulness of the data and legal and regulatory factors. Having a set of back ups that cover the last 12 months for most people would suffice.

What is the best strategy for a backup?

Usually having a daily backup, the last 7 days backed up, the last month backed up and the last year backed up in a rolling backup strategy.

Should I encrypt backups?

Yes.

ISO 27001 Toolkit Business Edition

Do It Yourself ISO27001

Stop Spanking £10,000s on consultants and ISMS online-tools.