ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Free_Downloads
 

Have a question on ISO 27001 or ISO 22301?

Ask an Expert
 

Free eBook

Free eBook 9 Steps to Cybersecurity
 
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
 
Newsletter
 
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.
 
 
 
 
 
 
 
    

UPCOMING FREE WEBINAR

    

 
ISO 22301: An overview of BCM implementation process

    

Wednesday
September 10, 2014

    Register_now_green
    
 
 
 

Backup policy – How to determine backup frequency

'By 'Dejan Kosutic on May 07, 2013

Did you think that the frequency of backup is based on the IT manager’s whims? Or, perhaps, based on the least expensive solution? Well, you are wrong.

Backup policy, or to be precise – the most important part of this policy – how often the backup is to be performed, must be based on analysis. And such analysis must be based on the business value of the data in question.

Recovery Point Objective (RPO) / Maximum Data Loss

This analysis is emphasized in ISO 22301, the leading business continuity standard. It specifies that Recovery Point Objective and Maximum Data Loss have the same meaning: “Point to which information used by an activity must be restored to enable the activity to operate on resumption.” This is basically the answer to the question How much data can you afford to lose?

The easiest way to perform this kind of analysis is during the business impact analysis (BIA), because that is when you have to complete all these interviews/questionnaires, so a couple more questions won’t disturb anyone. (Read also: Five Tips for Successful Business Impact Analysis.)

Best practice for BIA

When performing the BIA, you have to ask your respondents to list all their databases, applications and files, but also all services (e.g. email), etc., and for each of them separately to state the acceptable limit up to which you can afford to lose the data. Usually, this limit is displayed in number of hours, but sometimes it can also be in number of transactions or records.

The main criteria while doing the analysis must be the damage of any potential data loss to the company – in terms of money or other impacts like legal, reputation, etc. Also, while doing such analysis it is important not to be distracted by the fact that you already have the backup. The question is – if your existing backup fails, how much data can you really afford to lose?

The result is RPO/Maximum Data Loss – in some cases it will be 24 hours (the data you created in the last 24 hours), in others, perhaps 2 hours, but sometimes you won’t be able to afford the loss of a single bit of information – this is where RPO is zero.

Implications for backup frequency

Let’s take two examples from a bank – in the first example, in the loan application process, the bank can probably afford to lose 24 hours of data, because it won’t be very difficult to recreate the data by asking potential clients to send that information again. However, in the case of payment processing, the banks typically cannot afford to lose a single transaction – this is because of the huge volume of transactions and the inability to track back who has given which payment order if all the data is lost.

The conclusions here are actually very simple – if the analysis shows that the RPO/Maximum Data Loss is 24 hours, then you have to perform backup at least once a day; if the RPO is 2 hours, then backup has to be done at least every two hours; if RPO is zero, then you need to have a mirrored site with replication of data in real time.

But, as always, there is also the question of price – someone may say that doing the backup every 2 hours is too expensive. While this may really be so, the real question is what would be the damage to the whole business if you really lose all this data.

Click here to download a free preview of Business Impact Analysis Questionnaire template.


  • Charles

    Really good and informative.