Background
----------

ISO/IEC 27002:2022 clause 8.13 indicates that "Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup [in order] to enable recovery from loss of data or systems."


Policy statements
-----------------

1.	Ensure production information exists in primary online and secondary offline locations with appropriate backup processes and schedules for data synchronization.

2.	Regularly create offline backup copies of vital business information and software to enable efficient recovery after incidents affecting primary data or systems.

3.	Design and document specific backup schedules for each system, considering types, frequency, and generations of backups to meet business, legal, and regulatory requirements.

4.	Automate backup processes when feasible and cost-effective to enhance reliability and assurance.

5.	Periodically check and test backup processes to ensure information can be successfully restored from backups when needed.

6.	Implement controls to address data storage media degradation, such as routinely replacing media and monitoring bit error rates.

7.	Protect intangible knowledge and expertise by sharing critical information with colleagues through documentation, training, mentoring, and appointing deputies or understudies.

8.	Manage transportation of media to remote storage facilities with proper authorization, recording, and trusted personnel handling.

9.	Physically and logically protect backups to the same degree as primary media, considering storage security, separate facilities, environmental protection, and encryption.

10.	Specify minimum retention periods for backups based on Information/risk Owner guidance, or default to a 30-day retention period.

11.	Control restoration of information from backups through a formal process involving request, authorization, retrieval, restoration, release, and returning backup media to safe storage.


Notes
-----

This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation.  Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.