Connect with us

Hi, what are you looking for?

Information Security

ISO 27001 Annex: A.12.3 Backup

Its objective is to safeguard against data loss.


A.12.3.1 Information backup


Back up copies of the records and program images will be collected and tested regularly according to the backup policy

Implementation Guidance

An organization’s backup requirements for information, software, and systems should be outlined in a backup policy. Defining the requirements for backup should be part of the backup policy. It is essential to have adequate backup facilities in the event of a disaster to guarantee the recovery of all important information and software.

When designing a backup plan, consider the following:

1. It is important to prepare precise and detailed backups as well as detailed restoration procedures;
2. The backup nature and frequency (such as full or differential backups) must correspond with the company’s business needs, security requirements of information concerned and criticality to the organization’s continued operation;
3. Make sure backups are kept at a remote location that is far enough away from most locations to be protected in the event of a disaster;
4. Backup information should include the appropriate level of environmental and physical protection (See clause 11) as per the standards at the main site;
5. Ensure that the backup media are tested regularly for emergency use; as part of the restoration procedures, ensure that the required restoration time is tested and controlled. In case of a failed backup or restoration process resulting in irreversible data loss or damage, the check should not be performed by overwriting the original medium;
6. In cases of confidentiality concern, it is advisable to encrypt backups.

Backup performance should be monitored and planned backup failures addressed to ensure that all backups are completed following the backup policy.

Continuity plans should be periodically reviewed to ensure that backup procedures comply with the criteria of the business. During a disaster, all the computer data, software, and information necessary to restore the entire network should be protected through backups.

In setting a preservation period, it is necessary to take into account whether archive copies will be retained permanently.

Related Questions

1. What should a backup policy include?
2. What are your backup auditing procedures?
3. What is the retention period in backups?
4. What are the controls described in ISO 27001 Annex: A.12.3 Backup?
5. How do data backups and recovery work? 3. How do security policies and awareness relate to data backup?
6. What is ISO 27001 Annex: A.12.3 Backup?

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

Latest Post

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

You May Also Like

Information Privacy

ISO/IEC TS 27560 — Privacy technologies — Consent record information structure [Draft] Introduction For recording PII Principals’ (data subjects’) consent to data processing, this...


The task to be performed ISO 27001 Clause 10.1 Nonconformity and corrective action, Clause 10 which includes sections 10.1 and 10.2 covers the “Act”...

Cyber Security

ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development instructions Introduction As a Technical Specification, the standard (an architecture...


The article discusses Compliance with Legal and Contractual Requirements, Identification of Applicable Legislation and Contractual Requirements and Intellectual Property Rights accordingly controls.A.18.1 Compliance with...