ISO 27001:2022 A 8.13 Information backup

One of the best ways to protect your computer and data from malware attacks is to make regular backups.An organisation’s backup operation should encompass a broad range of efforts that improve resilience and protect against loss of business by establishing a robust and tightly managed set of backup jobs, using dedicated software and utilities, with adequate retention levels and agreed upon recovery times.You should always create at least two backups: one to keep offline and another to keep in the cloud. you can create a full backup using the System Image Backup tool to make a copy of your entire machine, including files, settings, apps, and OS installation. Alternatively, if you don’t have a lot of files, you could just make regular copies of your documents on a USB flash drive. If you’re a light user and files don’t change very often, you should at least be making a backup once a week. On the other hand, if you’re dealing with business files, you should be making backups at least once or twice a day.

1)Online backup:There are many ways to make backups online. OneDrive is a common example of online backup, but this solution should only be considered to protect your data against hardware failure, theft, or natural accidents. If your device gets infected with ransomware or another type of malware, OneDrive is likely to sync the changes making those files stored in the cloud unusable. A better solution includes subscribing to a third-party online backup service, such as CrashPlan or IDrive that allows you to schedule or trigger backups on demand to prevent syncing infected or encrypted files. The only caveat is that most cloud storage services don’t offer bare-metal recovery. If that’s something you need, you could create a full backup as you would normally do and then upload the package to a paid cloud storage service, such as Amazon Drive, Google Drive, etc.

2) Have an offline backup: Your recovery plan must include a full backup of your system and data to keep offline using an external hard drive or in a local network location (e.g. Network-attached Storage (NAS)). This is the kind of backup that will ensure you can recover from any malware, hardware failure, errors, and natural accidents. Remember that there is no such thing as enough backup. If you can make a backup of the backup that you can store offsite, do it. After creating a backup, always disconnect the external drive and store it in a safe location, or disconnect the network location where you store the backup because if the drive stays online and accessible from your computer, malware can still infect those files.


Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.


To enable recovery from loss of data or systems.

ISO 27002 Implementation Guidance

A topic-specific policy on backup should be established to address the organization’s data retention and information security requirements. Adequate backup facilities should be provided to ensure that all essential information and software can be recovered following an incident or failure or loss of storage media. Plans should be developed and implemented for how the organization will back up information, software and systems, to address the topic-specific policy on backup. When designing a backup plan, the following items should be taken into consideration:

  1. a) producing accurate and complete records of the backup copies and documented restoration procedures;
  2. b) reflecting the business requirements of the organization (e.g. the recovery point objective), the security requirements of the information involved and the criticality of the information to the continued operation of the organization in the extent (e.g. full or differential backup) and frequency of backups;
  3. c) storing the backups in a safe and secure remote location, at a sufficient distance to escape any damage from a disaster at the main site;
  4. d) giving backup information an appropriate level of physical and environmental protection consistent with the standards applied at the main site;
  5. e) regularly testing backup media to ensure that they can be relied on for emergency use when necessary. Testing the ability to restore backed-up data onto a test system, not by overwriting the original storage media in case the backup or restoration process fails and causes irreparable data damage or loss;
  6. f) protecting backups by means of encryption according to the identified risks (e.g. in situations where confidentiality is of importance);
  7. g) taking care to ensure that inadvertent data loss is detected before backup is taken.

Operational procedures should monitor the execution of backups and address failures of scheduled backups to ensure completeness of backups according to the topic-specific policy on backups. Backup measures for individual systems and services should be regularly tested to ensure that they meet the objectives of incident response and business continuity plans. This should be combined with a test of the restoration procedures and checked against the restoration time required by the business continuity plan. In the case of critical systems and services, backup measures should cover all systems information, applications and data necessary to recover the complete system in the event of a disaster. When the organization uses a cloud service, backup copies of the organization’s information, applications and systems in the cloud service environment should be taken. The organization should determine if and how requirements for backup are fulfilled when using the information backup service provided as part of the cloud service. The retention period for essential business information should be determined, taking into account any requirement for retention of archive copies. The organization should consider the deletion of information in storage media used for backup once the information’s retention period expires and should take into consideration legislation and regulations.

Organization should take a topic-specific approach to backups that includes bespoke processes for each individual topic, and takes into account the different types of data (and associated risk levels) that organisations process and access throughout their operation.

Organisations should draft topic-specific policies that directly address how the organisation backs up the relevant areas of its network. Backup facilities should be implemented with the primary aim of ensuring that all business critical data, software and systems are able to be recovered following the below events:

  • Data loss
  • Intrusion
  • Business interruption
  • Failure of systems, applications or storage media

Any backup plan created should aim to:

  • Outline clear and concise restoration procedures that cover all relevant critical systems and services.
  • Produce workable copies of any systems, data or applications that are covered under a backup job.
  • Meet the unique commercial and operational requirements of the organisation (e.g. recovery time objectives, backup types, backup frequency)
  • Store backups in an appropriate location that is environmentally protected, physically distinct from the source data in order to prevent total data loss, and securely accessed for maintenance purposes .
  • Mandate for regular testing of backup jobs, in order to guarantee data availability should the need arise to restore files, systems or applications at a moment’s notice. Backup tests should be measured against the organisation’s agreed recovery times to ensure adherence in the event of data loss or system interruption.
  • Encrypt data that has been backed up, in accordance with its risk level.
  • Check for data loss before running any backup jobs.
  • Implement a reporting system that alerts maintenance staff to the status of backup jobs – including complete or partial failures – so that remedial action can be taken.
  • Include data from cloud-based platforms that are not directly managed by the organisation.
  • Store backup data in line with a topic-specific retention policy that takes into account the underlying nature and purpose of the data that’s been backed up, including transfer and/or archiving to storage media

Organizations that implement Information Backup properly, will experience minimum downtime and smooth recovery in the event of a failure.

Backup types defined

  1. Full backup captures a copy of an entire data set. Although considered to be the most reliable backup method, performing a full backup is time-consuming and requires many disks or tapes. Most organizations run full backups only periodically.
  2. Incremental backup offers an alternative to full backups by backing up only the data that has changed since the last full backup. The drawback is that a full restore takes longer if an incremental-based data backup copy is used for recovery.
  3. Differential backup copies data changed since the last full backup. This enables a full restore to occur more quickly by requiring only the last full backup and the last differential backup. For example, if you create a full backup on Monday, the Tuesday backup would, at that point, be similar to an incremental backup. Wednesday’s backup would then back up the differential that has changed since Monday’s full backup. The downside is that progressive growth of differential backups tends to adversely affect your backup window. A differential backup spawns a file by combining an earlier complete copy of it with one or more incremental copies created later. The assembled file is not a direct copy of any single current or previously created file, but rather synthesized from the original file and any subsequent modifications to that file.
  4. Synthetic full backup is a variation of differential backup. In a synthetic full backup, the backup server produces an additional full copy, which is based on the original full backup and data gleaned from incremental copies.
  5. Incremental-forever backups minimize the backup window while providing faster recovery access to data. An incremental-forever backup captures the full data set and then supplements it with incremental backups from that point forward. Backing up only changed blocks is also known as delta differencing. Full backups of data sets are typically stored on the backup server, which automates the restoration.
  6. Reverse-incremental backups are changes made between two instances of a mirror. Once an initial full backup is taken, each successive incremental backup applies any changes to the existing full backup. This essentially generates a novel synthetic full backup copy each time an incremental change is applied, while also providing reversion to previous full backups.
  7. Hot backup, or dynamic backup, is applied to data that remains available to users as the update is in process. This method sidesteps user downtime and productivity loss. The risk with hot backup is that, if the data is amended while the backup is underway, the resulting backup copy might not match the final state of the data.

Techniques and technologies to complement data backup

  • Continuous data protection (CDP) refers to layers of associated technologies designed to enhance data protection. A CDP-based storage system backs up all enterprise data whenever a change is made. CDP tools enable multiple copies of data to be created. Many CDP systems contain a built-in engine that replicates data from a primary to a secondary backup server and/or tape-based storage. Disk-to-disk-to-tape backup is a popular architecture for CDP systems.
  • Near-continuous CDP takes backup snapshots at set intervals, which are different from array-based vendor snapshots that are taken each time new data is written to storage.
  • Data reduction lessens your storage footprint. There are two primary methods: data compression and data deduplication. These methods can be used singly, but vendors often combine the approaches. Reducing the size of data has implications on backup windows and restoration times.
  • Disk cloning involves copying the contents of a computer’s hard drive, saving it as an image file and transferring it to storage media. Disk cloning can be used for provisioning, system provisioning, system recovery and rebooting or returning a system to its original configuration.
  • Erasure coding, or forward error correction, evolved as a scalable alternative to traditional RAID systems. Erasure coding most often is associated with object storage. RAID stripes data writes across multiple drives, using a parity drive to ensure redundancy and resilience. The technology breaks data into fragments and encodes it with other bits of redundant data. These encoded fragments are stored across different storage media, nodes or geographic locations. The associated fragments are used to reconstruct corrupted data using a technique known as oversampling.
  • Flat backup is a data protection scheme in which a direct copy of a snapshot is moved to low-cost storage without the use of traditional backup software. The original snapshot retains its native format and location; the flat backup replica gets mounted should the original become unavailable or unusable.
  • Mirroring places data files on more than one computer server to ensure it remains accessible to users. In synchronous mirroring, data is written to local and remote disk simultaneously. Writes from local storage are not acknowledged until a confirmation is sent from remote storage, thus ensuring the two sites have an identical data copy. Conversely, asynchronous local writes are complete before confirmation is sent from the remote server.
  • Replication enables users to select the required number of replicas, or copies, of data needed to sustain or resume business operations. Data replication copies data from one location to another, providing an up-to-date copy to hasten DR.
  • Recovery-in-place, or instant recovery, enables users to temporarily run a production application directly from a backup VM instance, thus maintaining data availability while the primary VM is being restored. Mounting a physical or VM instance directly on a backup or media server can hasten system-level recovery to within minutes. Recovery from a mounted image does result in degraded performance, since backup servers are not sized for production workloads.
  • Storage snapshots capture a set of reference markers on disk for a given database, file or storage volume. Users refer to the markers, or pointers, to restore data from a selected point in time. Because it derives from an underlying source volume, an individual storage snapshot is an instance, not a full backup. As such, snapshots do not protect data against hardware failure.

Implementing Information Backup

1)What should be backed up
The organization should decide “what” should be backed up, and up to what level. A priority list of important information should be classified and levels assigned, based on the importance of the information. Something like this

  • Code repository (Level 5 protection)
  • Financial data (Level 5 protection)
  • Employee email (Level 4 protection)
  • Sales reports (Level 3 protection)

2) Define Levels of Back-up information
Define what Backup procedures need to be maintained for each of these levels. Something like this

  • Level 5 – Fail-over backup, off-location backup for disaster recovery, Weekly and daily backups, Weekly Mock recovery.
  • Level 4 – Weekly and daily backups, Weekly mock recovery.
  • Level 3 – Weekly backups. Monthly mock recovery.

Mock recoveries are conducted to make sure that the restoration process works well, in the event of an actual failure.The extent and frequency of backups should reflect the business requirements of the organization. Put up a question like this. If this information were to get lost, can we restore a week old copy. Will the information change a lot during a week or month. Also consider the Criticality of the information to the continued operation of the organization. Maybe the information doesn’t change a lot during the week, but it has to be restored with Zero Downtime, in the event of a failure. In such conditions, a Fail-over solution would be ideal. In case of critical systems, the backup should cover all systems information, applications and data necessary to recover the complete system in the event of a disaster.

3) Log the Backups and Restoration.
Accurate and complete records should be maintained of the backup process and the backup copies. This helps to track who did the last backup and when. Logs should also be maintained for the Mock Restorations, in order to track that the restorations were successful or not. Mock restorations help discover flaws in the backup process. For example, if all the files were not backed up, or the script was bad.

4) Backups should be stored in a remote location
Backups should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site. What remains to be decided, is the mode of such storage. Whether it has to be a fail-over server, or whether the information can simply be stored in tape drives. Consider the security requirements of the information involved. Is it safe to replicate the information in another off-location site? Maybe, your agreement with your clients, doesn’t allow you to transfer the information to another location.

5) Secure your Backups
Backup information should be given appropriate level of physical and environmental protection. What this means is whatever controls that you apply to media at the main site, should be extended to cover the Back-up site. In certain cases, where confidentiality is of importance, the backups should be protected by means of encryption.

6) Test your Backups
OK, you did everything great so far, backing up your information. Now assume, that the backups didn’t restore well, during an emergency. The entire effort of backing up information goes down the drain. Make sure that the Backup media is regularly tested to ensure that they can be relied upon for emergency use when necessary. Use Mock restoration procedures, so that you are sure that you are sure that the Backups are effective. Also ensure that Backups can restore in the time allocated for Recovery. For example, if the Operational procedure for recovery is 2 hours, make sure that the Backup can be effectively restored in 2 hours. Of course, it goes without saying that the Mock restoration procedures “should” be logged.

7) How long should Backups be retained
The backups should be retained for as long as the organization determines that the information is useful. Backup media is cheap, and the hours that are required to clean the data may be more expensive. In most cases, it may be cheaper to retain the backups. In effect, the organization needs to decide the Retention period, and also any requirement for archive copies to be permanently retained.

Leave a Reply