{"id":4674,"date":"2013-05-07T14:20:21","date_gmt":"2013-05-07T14:20:21","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/013\/05\/07\/backup-policy-how-to-determine-backup-frequency\/"},"modified":"2024-12-21T16:08:28","modified_gmt":"2024-12-21T16:08:28","slug":"backup-policy-how-to-determine-backup-frequency","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2013\/05\/07\/backup-policy-how-to-determine-backup-frequency\/","title":{"rendered":"Backup policy \u2013 How to determine backup frequency"},"content":{"rendered":"<p>Did you think that the frequency of backup is based on the IT manager&#8217;s whims? Or, perhaps, based on the least expensive solution? Well, you are wrong.<\/p>\n<p>Backup policy, or to be precise \u2013 the most important part of this policy \u2013 how often the backup is to be performed, must be based on analysis. And such analysis must be based on the business value of the data in question.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Recovery Point Objective (RPO) \/ Maximum Data Loss<\/h2>\n<p>This analysis is emphasized in <a href=\"\/27001academy\/what-is-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301<\/a>, the leading business continuity standard. It specifies that <i>Recovery Point Objective<\/i> and <i>Maximum Data Loss<\/i> have the same meaning: &#8220;Point to which information used by an activity must be restored to enable the activity to operate on resumption.&#8221; This is basically the answer to the question <i>How much data can you afford to lose?<\/i><\/p>\n<p>The easiest way to perform this kind of analysis is during the business impact analysis (BIA), because that is when you have to complete all these interviews\/questionnaires, so a couple more questions won&#8217;t disturb anyone. (Read also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2010\/06\/10\/five-tips-for-successful-business-impact-analysis\/\">Five Tips for Successful Business Impact Analysis<\/a>.)<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Best practice for BIA<\/h2>\n<p>When performing the BIA, you have to ask your respondents to list all their databases, applications and files, but also all services (e.g. email), etc., and for each of them separately to state the acceptable limit up to which you can afford to lose the data. Usually, this limit is displayed in number of hours, but sometimes it can also be in number of transactions or records.<\/p>\n<p>The main criteria while doing the analysis must be the damage of any potential data loss to the company \u2013 in terms of money or other impacts like legal, reputation, etc. Also, while doing such analysis it is important not to be distracted by the fact that you already have the backup. The question is \u2013 if your existing backup fails, how much data can you really afford to lose?<\/p>\n<p>The result is RPO\/Maximum Data Loss \u2013 in some cases it will be 24 hours (the data you created in the last 24 hours), in others, perhaps 2 hours, but sometimes you won&#8217;t be able to afford the loss of a single bit of information \u2013 this is where <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo\/\" target=\"_blank\" rel=\"noopener\">RPO<\/a> is zero.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Implications for backup frequency<\/h2>\n<p>Let&#8217;s take two examples from a bank \u2013 in the first example, in the loan application process, the bank can probably afford to lose 24 hours of data, because it won&#8217;t be very difficult to recreate the data by asking potential clients to send that information again. However, in the case of payment processing, the banks typically cannot afford to lose a single transaction \u2013 this is because of the huge volume of transactions and the inability to track back who has given which payment order if all the data is lost.<\/p>\n<p>The conclusions here are actually very simple \u2013 if the analysis shows that the RPO\/Maximum Data Loss is 24 hours, then you have to perform backup at least once a day; if the RPO is 2 hours, then backup has to be done at least every two hours; if RPO is zero, then you need to have a mirrored site with replication of data in real time.<\/p>\n<p>But, as always, there is also the question of price \u2013 someone may say that doing the backup every 2 hours is too expensive. While this may really be so, the real question is what would be the damage to the whole business if you really lose all this data.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To get step-by-step guidance and templates for all ISO 27001 required documents, try out<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">Conformio<\/span><\/a><em><span class=\"notion-enable-hover\" data-token-index=\"2\">, ISO 27001 compliance software, for free.<\/span><\/em><!-- notionvc: c3e0be2d-4666-458e-bad4-37345be0dedd --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Did you think that the frequency of backup is based on the IT manager&#8217;s whims? Or, perhaps, based on the least expensive solution? Well, you are wrong. Backup policy, or to be precise \u2013 the most important part of this policy \u2013 how often the backup is to be performed, must be based on analysis. &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[380,554,565,602,603],"class_list":["post-4674","post","type-post","status-publish","format-standard","hentry","category-blog","tag-iso-22301","tag-business-impact-analysis","tag-recovery-point-objective","tag-backup","tag-maximum-data-loss"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4674","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4674"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4674\/revisions"}],"predecessor-version":[{"id":103319,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4674\/revisions\/103319"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}