1. Framework FAQs

ISO 27001: 2022 A.8.13 Information backup

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.13 Information backup.

ISO 27001: 2022 Control Description

Backup copies of information, software and systems shall be maintained  and regularly tested in accordance with the agreed topic-specific policy  on backup.

Purpose

To ensure the recovery of data and systems in the event of loss.

Guidance on implementation

To effectively manage backups, your organisation should develop a topic-specific backup policy that meets data retention and security needs.

Key Considerations for Backup Plans

When creating a backup plan, the following should be taken into account:

  1. Backup Records and Procedures:
    • Keep accurate and complete records of backup copies, along with documented restoration procedures.
  2. Business Requirements:
    • Align the backup strategy with the organisation’s business needs, including the recovery point objective, security requirements of the data, and how critical the information is to business operations. Determine the type (e.g., full or differential) and frequency of backups based on these factors.
  3. Secure Storage:
    • Store backups in a safe and secure remote location, far enough from the primary site to avoid damage from localised disasters.
  4. Protection Standards:
    • Ensure backup data is given the same level of physical and environmental protection as the main site, as outlined in relevant security clauses.
  5. Regular Testing:
    • Regularly test backup media to ensure reliability during emergencies. This includes testing the restoration process on a test system rather than the original storage media to avoid potential data loss or damage during testing.
  6. Backup Encryption:
    • Protect backups with encryption, especially where confidentiality is a concern, based on the identified risks.
  7. Pre-Backup Checks:
    • Make sure that any inadvertent data loss is detected before performing backups.

Operational Procedures

  • Monitoring and Addressing Backup Failures:
    • Regularly monitor backup processes to ensure they are executed as planned. Address any backup failures promptly to maintain the completeness of backups in line with the backup policy.

Testing and Validation

  • Testing Backup Measures:
    • Regularly test backup procedures for individual systems and services to ensure they support incident response and business continuity plans. For critical systems, backups should include all necessary information, applications, and data to recover the entire system in case of a disaster.

Cloud Services

  • Cloud Backup Management:
    • If using cloud services, ensure that your organisation’s information, applications, and systems are properly backed up within the cloud environment. Verify that the cloud service provider meets your backup requirements.

Retention and Deletion

  • Retention Period:
    • Establish a retention period for essential business information, considering any legal or regulatory requirements for archiving. Once the retention period expires, consider securely deleting information from backup storage, in compliance with relevant laws and regulations.