ISO 27001 Annex: A.12.3 Backup

Its objective is to safeguard against data loss.

A.12.3.1 Information backup

Control

Back up copies of the records and program images will be collected and tested regularly according to the backup policy

Implementation Guidance

An organization’s backup requirements for information, software, and systems should be outlined in a backup policy. Defining the requirements for backup should be part of the backup policy. It is essential to have adequate backup facilities in the event of a disaster to guarantee the recovery of all important information and software.

When designing a backup plan, consider the following:

1. It is important to prepare precise and detailed backups as well as detailed restoration procedures;
2. The backup nature and frequency (such as full or differential backups) must correspond with the company’s business needs, security requirements of information concerned and criticality to the organization’s continued operation;
3. Make sure backups are kept at a remote location that is far enough away from most locations to be protected in the event of a disaster;
4. Backup information should include the appropriate level of environmental and physical protection (See clause 11) as per the standards at the main site;
5. Ensure that the backup media are tested regularly for emergency use; as part of the restoration procedures, ensure that the required restoration time is tested and controlled. In case of a failed backup or restoration process resulting in irreversible data loss or damage, the check should not be performed by overwriting the original medium;
6. In cases of confidentiality concern, it is advisable to encrypt backups.

Backup performance should be monitored and planned backup failures addressed to ensure that all backups are completed following the backup policy.

Continuity plans should be periodically reviewed to ensure that backup procedures comply with the criteria of the business. During a disaster, all the computer data, software, and information necessary to restore the entire network should be protected through backups.

In setting a preservation period, it is necessary to take into account whether archive copies will be retained permanently.

Related Questions

1. What should a backup policy include?
2. What are your backup auditing procedures?
3. What is the retention period in backups?
4. What are the controls described in ISO 27001 Annex: A.12.3 Backup?
5. How do data backups and recovery work? 3. How do security policies and awareness relate to data backup?
6. What is ISO 27001 Annex: A.12.3 Backup?