This is a sample backup management policy which can be used in ISO 27001.
BACKUP MANAGEMENT POLICY
To minimize loss of organizational data.
Company shall establish and follow procedures to backup all identified data and store it securely for retrieval when required.
This policy is applicable to all the IT operations (servers, !, applications, systems, log, network devices etc." and all the employees, third parties who have business critical information available on servers, workstations, laptops etc.
!ystem #network administrator is primarily responsible for the implementation and monitoring the backup activities.
$. %ackup requirements shall be defined for all information assets based on the availability requirements of the information. &'amples of assets that shall be considered are( • )pplication databases • !ystem data (e(g system files, application configuration files etc." • *evelopment data (e(g source code, test database, test results etc." • ther system data like( o +irewall rule base o ,outer configuration files and access control lists The backup requirements must define the following, at a minimum( • %ackup frequency (i.e. online, daily, weekly etc." • %ackup responsibilities • !pecial instructions (hot or cold backup for databases, dumps, backup on C*#*-* etc." • .ature of backup (full backup, incremental backup" • ,ecovery time ob/ective (the time period within which the information needs to be restored in the event of unavailability of the primary data" • The backup storage location onsite#offsite details 0. Company shall determine the retention period of the information asset in accordance with applicable standards and legal requirements. 1. The backup requirements must be formally documented and made available to the backup#system administrators. The backup#system administrators shall maintain a complete record of all the backups they have made in line with the backup requirements, including date#time, success#failure, media information etc. 2. )n appropriate level of physical and environmental protection must be provided to the backup media at the offsite location. 3. %ackup media shall be tested periodically for restorability. There shall be two level of restoration checking 4 for the usability of the media, and for te integrity of the data contained therein. 5. The system administrator shall be responsible for developing a restoration plan, which shall include at the minimum( • ,otation plan for testing recoverability 4 both media and data integrity
+requency of testing 6rocedures to be performed in case of failure of the recoverability testing
7. )dditional controls shall be implemented over the information contained in backup media such as password protection to ensure the confidentiality of the information.