Backup Policy

What a backup policy contains, how to write it and a downloadable template.

Estimated reading time: 4 minutes

What is it?

The purpose of this policy is to protect against loss of data. Information is backed up securely in line with the data retention requirements, business requirements and legal and all legal and regulation legislation requirements including but not limited to the GDPR and Data Protection Act 2018. Backup and restoration procedures are documented, in place and maintained. Backups are encrypted using vendor built in encryption.

In the process documents and in the processes we ensure that the backups are tested regularly to ensure they are effective.

How to write a backup policy

Time needed: 4 hours.

How to write a backup policy

  1. Create your version control and document mark-up

    ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

  2. Write the document purpose

    Write the purpose of the document. The purpose of this policy is to protect against loss of data.

  3. Write the scope of the policy

    Company owned, managed and controlled information and systems that form part of systems and applications deemed in scope by the ISO 27001 scope statement including:
    • Servers
    • Databases
    • Code Repositories
    • Test Environments
    • Development Environments
    Out of scope for back up:
    • Desktop
    • Laptop
    • Mobile Device

  4. Write the principle on which the policy is based

    Information is backed up securely in line with the data retention requirements, business requirements and legal and all legal and regulation legislation requirements including but not limited to the GDPR and Data Protection Act 2018.

  5. Write the content for the required sections

    Backup Restoration Procedures
    Backup Security
    Backup Schedule
    Backup Testing and Verification
    Policy Compliance
    Compliance Measurement
    Exceptions
    Non-Compliance
    Continual Improvement

Backup FAQ

How often should I perform a backup?

As often is required. The requirement is based on the risk associated with the loss of the data. To understand this structurally you would perform a business impact assessment and record what is the maximum amount of data you are prepared to loose. Factors such as costs, losses, effort to recreate data come in to play. For most people a daily backup would suffice.

How long should I keep backups?

For as long as is necessary. You define this based on the usefulness of the data and legal and regulatory factors. Having a set of back ups that cover the last 12 months for most people would suffice.

What is the best strategy for a backup?

Usually having a daily backup, the last 7 days backed up, the last month backed up and the last year backed up in a rolling backup strategy.

Should I encrypt backups?

Yes.

Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart