To ensure you can recover from loss of data or systems, this ISO27001 control requires that you have put in place some form of information backup. Of course, it’s easy to imagine why you would need this kind of control. But what does it mean to implement a truly robust backup process?
What does the standard require?
The standard states that “Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.” (A8.13 – Information backup)
This control is asking you to focus on backups for information, software and systems. ISO27001 clearly sees these as three different aspects, all of which require some form of backup solution.
Why is this required?
Imagine the scenario where your systems have been attacked, or a natural disaster has occurred which results in servers failing, or data becomes corrupted. Having a robust backup strategy ensures that the critical data you rely on is available as soon as possible.
A company we worked with was hit with Ransomware, meaning that all their files were encrypted. Nothing could be accessed. The company made specialised Jams and sauces. Not what you might think of as critical, but imagine the recipe for Coke Cola or KFC's chicken flavouring was hit - THAT was the impact for this company.
The owner was almost in tears when they called us for help. Our first question? "Have you backed up your data?"
Ransomware is one of the most prevalent forms of malware which infects organisations, rendering their data inaccessible. The business disruption when this happens can be devastating, and one of the first questions we ask (when this happens), is; Where are your backups?!
Without a backup in place, you’re not going to be able to recover the data, or if you are able to, it’s going to take a long time to do it.
What the auditor is looking for
For this ISO27001 control, the auditor will expect to see;
Data Classification scheme (A5.12 - Classification of information).
Use of Cloud as a backup solution (A5.23 - Information Security for use of Cloud Services).
Inventory of informational assets (A5.9 - Inventory of information and other associated assets).
Backup Policy (A8.13 – Information backup).
Backup processes.
Backup solutions and technology.
Evidence of recovery tests (of data).
Business Impact Assessments (BIA) (A5.30 - ICT Readiness for Business Continuity).
Logs and monitoring (A8.16 - Monitoring Activities).
Risk Register.
Management Review Meeting minutes and actions.
What do you need to do?
Review the data classification scheme you developed as part of ISO27001 Annex A control (A5.12 - Classification of Information) and identify what data needs to be backed up. This process should include some form of Business Impact Analysis (BIA), whereby you determine the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). This will ensure you have a clear understanding of what is critical to you and your business.
Once you are clear in this, you can decide on the best backup strategy for you. This can be a cloud solution, or copying the data to an external drive, which is only connected and used for the purpose of recovery. If you decide to copy data to an external data source, you will need to determine how that drive will be secured and managed.
Now you know what your strategy is, you need to document a topic-specific policy related to your approach to backup and testing of recovery. To ensure the policy reflects reality, speak to the person or team responsible for backing up your data. This is probably your IT representative, or someone else responsible for taking a copy of the data and storing it securely.
Backup strategies might include the ‘3-2-1’ method;
3 Copies
2 different media types
1 offsite copy
Having three copies of your critical data ensures redundancy in case one copy is corrupted, lost, or inaccessible. Relying on two different forms of storage, such as external hard drives, and Cloud storage reduces the risk of one form of medium becoming inaccessible. Finally, having one copy offsite ensures that if your primary location is not accessible (e.g. due to fire), you can still access your data.
This final, offsite copy is often addressed using Cloud storage.
Keep in mind that the 3-2-1 strategy is a general guideline. The specific number of copies you need and chosen media types will vary depending on your needs and the criticality of your data.
Along with this policy, you might consider documenting a process for managing backups and the recovery tests, however this is not mandatory.
For total confidence that your backups are working, you need to ask for confirmation that backups have been completed and run periodic tests to recover data. This ensures that backups are reporting they have completed correctly, when in fact they have failed.
Finally, keep in mind that this control asks you to consider backup copies of information, software and systems. Therefore, don’t just focus on ‘data’. Do you have backup copies of systems and software?
Difficulty rating
We rate this a 1.5 out of 5 difficulty rating. This isn’t a difficult control to implement but requires careful consideration in terms of what your strategy will be. Backing up data is your final line of defence if you are unfortunate to be impacted by a cyber-attack.
Q&A
If I use Cloud for storage, do I need a backup solution?
The simple answer is.... possibly.
Cloud computing isn’t immune to outages or attack. It’s true that Cloud solutions will maintain version history, and if you delete a file in error, then it can quickly be recovered. However, this is not the only risk that you are faced with.
What happens if you suffer a ransomware attack and all your data is encrypted? What about service disruptions? Google, Amazon, and Microsoft have all suffered outages and service interruptions which have caused some form of business impact.
BUT...
If you decide that you’re happy with the resilience in the Cloud solution you have in place, then you should recognise this fact and add this to your risk register. Your policy should state that your backups are managed through the distributed infrastructure afforded by the Cloud infrastructure.
Cloud computing (such as AWS, Microsoft etc) ensure your data is backed up and recoverable, but it is not a silver bullet. Our advice is to implement a backup solution, even if it's a matter of buying an additional service to take periodic backups of your most critical data.
Do I need a Backup Policy?
Yes, this is a requirement of this ISO27001 Annex A control, so you need to document what your strategy is. If you decide that Cloud computing is your backup strategy, then you’ll need to detail this within your policy.
Irrespective of what your approach to backups is, you’ll need to document what your approach to recovery tests is, and how these are to be conducted.
More questions?
You’ve probably noticed by now that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon
Comments