Your guide to implementing an ISO 27001 backup policy template

Surviving in the modern business world without a properly aligned backup policy template for your information security infrastructure is like jumping out of an airplane without a parachute. Business continuity, data protection, compliance, and disaster recovery are all tied to the ISO 27001 security framework, so not having a backup policy in place in your business continuity plan can spell disaster for your entire organization. 

Nobody wants to see this happen so we decided to create this post so you can get a better understanding of what you need to implement to best prepare for the potential of withstanding a large system or operational failure event. 

Defining ISO 27001

If you want to implement an airtight backup policy for your security infrastructure, it’s necessary to define the framework we are working with. The ISO 27001 standard for information security is a framework that helps the organization establish, implement, monitor, and review the information security practices of people, technology, and processes. 

More specifically, the framework stipulates a few requirements including: 

• Defining the scope and boundaries of the infrastructure of the organization’s relevant needs and expectations
• Establishing risk assessment plans and setting up information security objectives
• Providing the necessary resources to support the framework
• Implementing and applying processes to manage and ensure the security of data assets
• Monitoring, measuring, and analyzing the performance of the information security system 

Becoming ISO 27001 certified means that you are taking your data management and security processes seriously. While it will primarily be the method in which you are able to keep up with the ever-evolving threats of the day, it can also help improve relationships with current clients as well as win over new clients that can place their trust in your superior information security policies.

Aligning your backup policy to ISO 27001

Getting ISO 27001 certified is just the tip of the iceberg. But you still need to consider what happens when your systems get disrupted by an unexpected event or disaster. In that situation, you will need to make sure that your backup policies and processes are aligned with the certification standard. 

Conducting risk assessments

Any conversation about a backup policy needs to start with risk assessments of the elements that are critical to keeping your organization afloat. More specifically, the data that is needed to be backed up based on the impact of the loss of that data. 

Figuring out what the exact information is that can have a major impact on your organization will be the first step. For example, PII (personally identifiable information) can include a wide amount of information like social security numbers, birthdates, and financial information like credit card numbers. A leak, disruption, or general loss of this data can result in major financial and reputational consequences. 

Identifying where this information lives and prioritizing these assets can help when assessing the likelihood of threats like software failures, cyber attacks like ransomware or phishing, and natural disasters that might exploit one or several vulnerabilities in your current infrastructure. This can also help with business continuity / operational continuity in events such as the recent pandemic, where we saw a work-from-home remodel for most organizations.

Defining critical data backup requirements

Once you’ve managed to take stock of your critical data and the threats they are exposed to, it is time to define the backup requirements around them. These requirements need to be in line with your current business needs as well as any regulatory requirements that define the industry the organization operates within. 

Going back to our healthcare example, having your backup processes in line with HIPAA regulations and patient confidentiality is key. Mapping integrated policies and procedures that incorporate the requirements of ISO 27001 and HIPAA around areas of overlap within your backup policy template to protect PHI is paramount. This can easily get very complex very quickly so if you need help from an extra pair of eyes, you should do your best to connect with an expert. 

Determine backup frequency and storage locations

The risk assessment portion of your backup policy template will give you a more nuanced insight into what the operational needs of the organization are. Information like the acceptable level of downtime in the case of a critical loss of data and SLAs (service level agreements) can help you set up more informed backup schedules that align with the nature of the data. 

Continued reading

Weathering the storm with Business Continuity and Disaster Recovery (BCDR)

Weathering the storm with Business Continuity and Disaster Recovery (BCDR)

Backup information and frequency

More sensitive information might require more frequent backups while less critical data might be subject to less frequent backups. Making sure you update this information according to the current risk environment is instrumental for success. 

Additionally, having a greater frequency of backups during important business times may also be a prudent strategy business owners can employ. E-commerce organizations might want to invest more heavily into large-scale backup efforts during major holiday seasons when loads are significantly higher. 

Looking at your RPO (Recovery Point Objective) will determine how often backups are needed to protect the data. Adjusting your RPO in the template for different times of the year, according to the current risk landscape can help minimize data loss in the event of a disruption.

If you normally have an RPO of 30 minutes, that means you are willing to lose at most half an hour’s worth of data in the case of an unplanned disruption. In some situations, you might want to raise the frequency to an RPO of 15 minutes meaning that you backup data every one hour to meet business needs in the current context. 

Additionally, DevOps teams can use version control to ensure that different versions of the data are properly backed up, allowing you to easily restore previous versions if needed.

Redundancy and diversity

Diversifying where you keep mission-critical data can be the difference between successfully recovering from a disruption and completely failing. Implementing multiple backup copies across different parts of the entire infrastructure can help ensure that the data is eventually recovered. 

For example, having multiple cloud instances or an alternative remote location where critical data is stored ensures that it isn’t siloed away in one spot, thus minimizing the impact of a system failure and maximizing system availability.

Establish encryption and authorization requirements

ISO 27001 security requirements are stringent and for good reason. Nobody wants to wake up on a Saturday morning and realize that all their crucial data is in the wrong hands. That’s why encryption and authorization/authentication methods are critical elements of a security template. 

Encryption

Encrypting backup data can prevent unauthorized access for data transmission and storage. When you are in the process of establishing your requirements, keep in mind how sensitive the data is, what the regulatory requirements include, and some industry best practices. 

Planning to use TLS (transport layer security) algorithms in conjunction with End-to-End Encryption where data is encrypted prior to being uploaded to the cloud and only decrypted once it is on the client’s side can ensure a high degree of security throughout the entire data backup and recovery process. 

Authentication and authorization

Authentication and authorization serve as the gatekeepers to some of your most sensitive information by restricting access to backup systems and data to pre-authorized stakeholders. Implementing mechanisms like training employees to use strong passwords in combination with MFA (multi-factor authentication) can be the solution to having tightly sealed data storage units. 

However, even with all the security in place, it is still possible for attackers to breach external contractors that have access to VPN credentials that can render your incident response team obsolete. This is specifically what happened to Uber in September 2022. 

The takeaway: a single, central point of authentication can result in access to various cloud-based systems. When coming up with your ISO 27001 backup policy template, make sure to draw provisions into this possibility and train employees to guard against suspected phishing attacks that could lead to malware and other downstream attacks that could bypass MFA protections. 

Creating an effective backup policy template 

A backup policy template that successfully keeps your organization from going under (and your senior management from losing their hats) in the midst of an unexpected disruption should be approached as a living, breathing document that changes according to the current landscape. 

Conduct regular testing

With a myriad of potential threats from cyber attacks, abrupt regulatory shifts, and rapidly evolving tools and technologies, thinking about a policy that works in all seasons can be paralyzing.

That’s why it’s important to emphasize evergreen backup templates that are tested regularly against the major threats of the day. First, define how you test, monitor, and analyze results. Once you’ve come up with a repeatable testing process, regularly test backup logs for data integrity. This could throw off test results that might cause a major issue in the event of an actual disruption. 

Consult with key stakeholders 

Communication and coordination are the key hallmarks of success when developing a backup policy template. Consulting with these stakeholders is important because they have insight into where your most vulnerable elements might lie. A compliance expert in your legal department might have access to information that your IT department does not. Having the two collaborate on an effective plan could make all the difference in an emergency situation.

Invest in employee success

Focusing your efforts on key decision-maker behavior in your policy template could come at a high cost to your organization. That’s why it is critical to make sure you have a built-in roadmap for how to best train employees in their roles and responsibilities. You trust them with day-to-day business activities so it only makes sense that you should trust them in emergency situations. 

An ISO 27001 backup policy template will vary from company to company depending on the required scopes that match the needs of the business. A comprehensive plan digs deep into multiple aspects of risk, backup requirements, and all the changes in the industry to create an airtight infrastructural security management system. 

Additionally, keeping in mind all of the moving parts of your organization from the highest level of decision-makers to the employees responsible for running critical day-to-day functions will only help you construct a continuously evolving plan that can be stood up at a moment’s notice. 

Aligning your template documents with ISO 27001 and mapping them to the unique data requirements of your industry can be challenging. You don’t want to go at it alone. Lucky for you, Thoropass provides templates with their ISO 27001 audit preparation services. Reach out to an expert to learn more about how we can help with all of your backup and recovery efforts. 

Get Started with ISO 27001

Learn how Thoropass can help you get (and stay) compliant

Thoropass supports your success with a clear ISMS readiness roadmap, compliance automations, audit management, and experts to guide your certification journey.

Learn More