Backup and Restore Policy

The Backup and Restore Policy (P15) establishes the organization's mandatory requirements for the backup and restoration of data, systems, and applications. Its primary purpose is to safeguard the organization's operational resilience and data integrity, supporting business continuity even during major disruptions like system failures, cyberattacks, or accidental deletions. At its core, the policy both articulates a standardized approach to backup operations and ensures clear recovery parameters, notably by defining RTO (Recovery Time Objective) and RPO (Recovery Point Objective) expectations. These requirements are closely aligned with the organization's ISMS framework and Business Continuity Plans, ensuring legal, regulatory, and operational compliance. The scope of the policy is comprehensive: it impacts all business-critical and operational systems covered by ISMS, including structured and unstructured data such as databases, files, emails, and system configurations. It extends to all types of operational environments (on-premises, hybrid, cloud), backup media (physical, virtual, offsite), and personnel overseeing or executing backup processes. Notably, systems that are to be excluded from backup operations must be risk-assessed, documented, and formally approved, underscoring the policy's emphasis on risk management and accountability. Within its objectives, the policy specifies that all critical assets must be backed up with proper frequency, redundancy, and encryption, documenting all procedures, retention schedules, and designated roles. Restoration mechanisms must meet predefined RTO and RPO thresholds based on business impact. The integrity and effectiveness of the backup environment are validated through regular restoration testing and audit trail maintenance. For regulatory alignment, the policy directly enforces controls from ISO/IEC 27001:2022 (including operational continuity and secure disposal), ISO/IEC 27002:2022 (such as integrity and restoration planning), as well as requirements drawn from NIST SP 800-53, GDPR, EU NIS2, and DORA. Contracts with third-party backup providers must reflect the organization's expectations on encryption, disposal, incident notification, and test evidence. Roles and responsibilities are explicitly detailed, assigning strategic oversight to Executive Management and the CISO, operational execution to IT and Operations, and specialized governance to the DPO, Business Application Owners, and relevant vendors. The policy mandates a Master Backup Schedule, regular review cycles, strong encryption, separate backup environments, and rigorous change management controls. Strict governance ensures that audit logs are maintained, exceptions are carefully controlled and risk-assessed, and restoration capabilities are tested at set intervals. Additionally, non-compliance triggers disciplinary action for internal staff and penalties or escalation for vendors, with the regular review of logs, schedules, and related documentation forming part of audit and assurance processes. Finally, the policy is reviewed at least annually, ensuring updates reflect strategic, legal, or technological changes, with communication to all impacted parties. Interlinking with a suite of governance documents (Risk Management, Asset Management, Data Classification, Data Retention, Data Masking, and Incident Response), this policy is embedded in the organization’s comprehensive approach to data security, continuity, and regulatory compliance.