CAF - B5.c Backups

Backup Requirements

Backup processes should ensure that critical data and systems can be recovered if part of the environment is disrupted. Backups must support the organisation’s essential functions and remain reliable, secure and tested.

Backup Strategy & Scheduling

• Follow a documented Backup Policy that defines:

  • what must be backed up

  • how often backups occur

  • where backups are stored

• Backups for core business systems and key management tools should be scheduled automatically using solutions such as: Datto, Veeam, Acronis, Atera, Azure Backup or MSP-specific cloud backup services.

Secure, Off-Site / Secondary Storage

• Backups should be encrypted.

• Backup data should be stored in secure off-site or cloud locations, separate from production systems.

• This ensures availability during severe incidents such as ransomware attacks or infrastructure failures.

Testing & Verification

• Backup restorations should be tested at least annually, or following significant platform changes.

• Testing confirms that systems and data can be successfully recovered.

• Test results should be recorded as evidence of assurance.

Ongoing Review

• Backup jobs, retention policies and recovery requirements should be reviewed regularly to remain aligned with business needs.

• Backup failures or alerts should be investigated promptly and remediated.