Skip to content

Publication Summary

Title Backup Policy
Author(s) Alessandro Cardinali
Issued by CEO

Version doc.

Review freq.

0.1

Yearly
Date of issue December 11, 2023
Owner CEO/Founder
Document status Draft – Final Draft - Final
Approval Date n/a
Classification Internal

Change Log

Version Date Author Comments
0.1 October 23, 2023 Olaf Jacobson First draft document

Table of Contents

Publication Summary 2

1 Introduction 4

1.1 Purpose of this document 4

1.2 Areas of the standard addressed 4

2 Backup policy 5

Introduction

The purpose of this document is to set out the way in which backups of information, software and system images are carried out, including regular testing.

Soon Technologies B.V. invests a significant number of resources in collecting, processing and managing information about all aspects of its business operations, including customers, suppliers, employees, legal and financial. In order to ensure the integrity and availability of this information it is essential that a sound backup policy is adopted which takes due account of the classification of the information involved.

Without complete and usable backups, the organization is exposed to an unacceptable level of risk and may be subject to significant legal consequences.

This document should be read in conjunction with the organization’s business continuity plans which deal with how backups are used to restore data in the event of a disaster, and the following additional documents:

  • Information Classification Procedure

  • Capacity Plan

  • Information Labelling Procedure

  • Asset Handling Procedure

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon Technologies B.V. systems.

Purpose of this document

The backup policy is a control with particular relevance to service continuity. It describes how backups of data will be taken and managed.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

  • A.5 Organizational controls

  • A.5.1 Policies for information security

  • A.8 Technological controls

  • A.8.13 Information backup

Backup policy

Regular backups of essential business information must be taken to ensure that the organization can recover from a disaster, media failure or other form of error.

An appropriate backup cycle must be designed and used that meets business requirements, complies with Soon Technologies B.V. information security policy and is fully documented. Third parties that store organization information must also be required to ensure that the information is backed up appropriately.

In a cloud environment where the cloud service provider (CSP) is responsible for backups, the following criteria must be defined and agreed:

  • Scope, schedule and location of backups

  • Backup methods and data formats

  • Retention periods for backups

  • How the integrity of backups will be verified

  • Restoration and testing procedures, including restoration timescales during a disruptive event

  • Use of encryption

  • How backups are segregated in a multi-tenant cloud environment

  • Frequency and method of reviews of backup and recovery procedures

For backups under Soon Technologies B.V. control, full documentation, including a complete record of what has been backed up, must be stored at an off-site location in addition to a copy at the site of origin.

The off-site location must be sufficiently distant from the site of origin of the backup to avoid being affected by any disaster that takes place at the main site. The use of availability zones defined by cloud service providers will typically meet this requirement.

Full documentation of the recovery procedure associated with each backup must be created and stored.

Regular restores of information from back up media must be performed to verify the reliability, accuracy and integrity of the back-up media and the restore process.

Removable media used (for example tapes, external drives) must be protected in accordance with the Soon Technologies B.V. Asset Handling Procedure to prevent damage, theft, or unauthorised access.

Storage media being stored or transported must be protected from unauthorised access, misuse, or corruption in accordance with the relevant Physical Media Transfer Procedure. Where couriers are required a list of reliable and trusted couriers should be established. If appropriate, physical controls such as encryption or special locked containers must also be used.

System documentation must be protected from unauthorised access (this does not include generic manuals that have been supplied with software). Effective version control must be applied to all documentation and its storage.

Storage media that is no longer required must be disposed of safely and securely as specified in the document Procedure for the Management of Removable Media to avoid data leakage, particularly where personally identifiable information (PII) is involved.

Appropriate arrangements must be put in place to ensure future availability of data that is required beyond the lifetime of the backup media.