For every system a documented backup procedure is available with values for the RPO (Recovery Point Objective, maximum tolerable amount of data that can be lost) and RTO (Recovery Time Objective, maximum downtime of the system). The RPO and RTO are communicated to users of the system.
The backup procedure will identify the appropriate:
- type(s) of storage media used for backups,
- frequency,
- reduncancy,
- storage location,
- storage conditions and
- frequency of restore testing.
How data on endpoints is backed up is included in the backup procedure.
Backups are tested periodically to verify that they can be restored. The results of these tests are documented.
Specification
Backups of system and application data must be created periodically and backups must be stored encrypted at a different location(s) for Business Continuity Measures. The restore procedure must be tested periodically.
Create a backup strategy plan, with at least one offline backup system in place.
It is highly recommended to apply the 3-2-1 backup rule:
- Create 3 copies of your data (1 primary copy and 2 backups)
- Store your copies on at least 2 types of storage media (local drive, network share/NAS, tape drive, etc.)
- Store one of these copies off-site (I.e., in the Cloud)
Source: https://www.acronis.com/en-eu/articles/backup-rule/
There are sufficient recent copies (back-ups) of data and configurations for timely recovery of the service within its recovery norms; the RTO and RPO.
A recovery test is performed:
- Low: every 3 years
- Medium: every 2 years
- High: annually
ISO 27001 & 27002:2022
A8.13,
A8.16
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
OP.02 Procedure voor back-up en herstel