Enterprise Backup and Restore processes

Almost the majority of businesses feel safe just by backing up their data. However, this is not exactly the case. A backup that cannot be assured of being reversible and that does not provide Confidentiality, Integrity and Availability carries great risk. Therefore, taking, protecting and storing the data backups taken in line with the requirements of the organisation and performing the return tests at a certain frequency will minimize this risk. ISO 27001, ISO 27002 and ISO 22301 standards, which we refer to, guide us on how to perform backup and recovery tests.

According to Annex-A (A.12.3.1) controls of ISO 27001 Standard, backup copies of information, software and system images should be taken and regularly tested in line with an agreed backup policy.

Each business should determine its own needs and create a policy to ensure that Information, Software and Systems are backed up to meet these requirements. The relevant backup policy should also define the storage and protection requirements of the information. An adequate and effective backup system should be established and managed to ensure that all necessary information and software are recoverable after a possible disaster or system failure.

• A complete and accurate record of backup copies and documentation of return procedures should be produced.
• The type and frequency of backups (for example, full or differential backup) should reflect the business needs of the organisation, the security requirements of the relevant information, and the criticality of the information for the continuous operation of the organisation,
• Backups should be kept in a remote location at a sufficient distance to avoid damage due to a disaster at the headquarters,
• Reserves should be protected under appropriate physical and environmental conditions. The requirements of these physical and environmental conditions may vary according to the standards applied by the institution. (See ISO 27001 A.11 Art.)
• Backup media should be tested at regular intervals in order to use it reliably when needed in an emergency; this should be combined with testing of media restore procedures and checking against the need for restore time. Backed-up data should be tested in a special test environment. In case of failure of the backup or restore process in live systems, the fallback tests should not be performed on live systems, as it will cause irreparable data loss or damage,
• Where privacy is important, the backup needs to be protected by encryption.
• To ensure that the scheduled backups are completed, the relevant processes should be monitored and, in case of scheduled backups failing, the associated errors and factors preventing the backup should be addressed.
• The retention period of backups should be determined by taking into account business requirements, legal and regulatory requirements.
• MTPD, RPO and RTO values ​​should also be considered in the planning of system backups.