Backup and Recovery

Backup and recovery is a fundamental operational control that protects organizations against data loss from a wide range of threats: hardware failures, software bugs, human error, ransomware attacks, natural disasters, and malicious insiders. A comprehensive backup strategy considers what data needs to be backed up (databases, file systems, configurations, application state), how frequently backups should occur (based on the Recovery Point Objective, or RPO, determined by the business impact analysis), where backups should be stored (on-site, off-site, cloud, or a combination), how long backups should be retained (based on business and regulatory requirements), and how quickly data can be restored (Recovery Time Objective, or RTO).

Backup and recovery is addressed by multiple compliance frameworks. ISO 27001 Annex A control A.8.13 specifically addresses information backup, requiring that backup copies of information, software, and system images be maintained and regularly tested according to an agreed backup policy. SOC 2's Availability criteria require that system recovery is tested to ensure it meets defined objectives. NIS2 mandates business continuity measures including backup management and disaster recovery. GDPR's integrity and availability requirements (Article 5(1)(f)) are supported by backup capabilities that protect against accidental or unlawful destruction or loss of personal data. In technology due diligence, backup strategy and testing frequency are key operational maturity indicators.

Modern backup strategies follow the 3-2-1 rule as a baseline: maintain at least three copies of data, on at least two different media types, with at least one copy stored off-site. For ransomware resilience, organizations increasingly adopt a 3-2-1-1-0 approach, adding one immutable or air-gapped copy and zero untested backups. Regular restoration testing is essential — backups that cannot be successfully restored provide false assurance. Testing should cover both individual file or record restoration and full system recovery scenarios. Cloud-native applications may use provider-managed backup services, database point-in-time recovery, and infrastructure-as-code for rapid environment reconstruction. Organizations should document their backup policies, monitor backup job success and failure, alert on backup failures, and include backup and recovery procedures in their disaster recovery plans.