Data backup and electronic information
Almost every modern management system runs on electronic documents and records, and an electronic management system is only as resilient as the systems it runs on. A shared drive that has not been backed up, a SaaS platform with no exit plan, a single laptop holding the only copy of a critical procedure - these are management system risks even when the documents themselves are perfectly written.
The ISO standards approach this from two angles. ISO 9001 Clause 7.5.3 requires documented information to be available, suitable for use, and protected from loss of integrity, which in practice means backup and recovery. ISO 22301 covers business continuity more broadly, including IT continuity. ISO 27001 includes specific Annex A controls on information backup, redundancy and cloud services. Where the organisation is certified to more than one of these, a single coherent backup approach satisfies all of them.
What needs to be backed up
The starting point is identifying what would actually hurt to lose. Most organisations find this falls into a small number of categories.
Management system files. The IMS folder containing policies, procedures, registers, completed records and audit reports. Loss of this folder would mean rebuilding the management system from scratch, plus the loss of historical evidence for certification.
Operational data. Customer records, supplier records, sales pipeline, project files, drawings, specifications. The data that runs the business day to day.
Financial records. Accounts software data, payroll records, invoices, payment records. Required by HMRC and the Companies Act 2006, with statutory retention periods that mean loss is not just inconvenient but potentially unlawful.
Personal data. HR records, customer personal data, training records. Subject to UK GDPR integrity and availability requirements as well as retention rules.
Email and communications. Often overlooked, email archives carry contractual evidence, customer correspondence and internal decisions that may be needed years later.
Configuration and credentials. Network configurations, user permissions, password vaults, software licences. Loss of these can prevent recovery of the data above.
The output of this exercise is a clear list of what is being backed up and what is not, which feeds directly into the document register and the business continuity register.
Backup planning - frequency, retention and storage
Backup decisions involve three connected variables. The right answers depend on the organisation, but the variables are always the same.
Frequency determines how much data could be lost in the worst case. Daily backup of operational data is normal. Continuous or near-continuous backup is increasingly common for cloud-hosted systems. Weekly is usually the minimum - any longer and the data loss in a serious incident becomes hard to recover from.
Retention determines how far back the organisation can recover. A common pattern is daily backups kept for thirty days, weekly backups kept for three months, monthly backups kept for a year. This balances storage cost against the ability to recover from incidents that are not noticed immediately - particularly important for ransomware, where the attack may have been present in earlier backups before being noticed.
Storage location determines whether backups are protected against the same risks as the live data. Backups stored on the same server, the same site or even the same cloud account are vulnerable to the same incident. A widely used industry guideline is the 3-2-1 rule - three copies of data, on two different media, with at least one off-site - and many organisations now use a 3-2-1-1-0 variant that adds an immutable copy and verified zero-error testing. The ISO standards do not require either, but they are a useful starting point for thinking about resilience.
Testing backups
The single most common backup failure mode is backups that have been running for years but have never been successfully restored. This is consistently raised by auditors, and it is the difference between thinking the organisation is protected and actually being protected.
A practical test cycle includes a quick file-level restore of a known sample (monthly), a full system restore to a test environment (annually) and a tabletop walkthrough of recovery procedures with the people who would carry them out (annually, often as part of business continuity exercising). Records of these tests sit on the business continuity register or in IT's records and are reviewed at management review.
Cloud backup and SaaS systems
Cloud-hosted management systems and SaaS applications introduce a particular issue: many organisations assume the provider is backing up their data, but provider backups are usually for service continuity rather than customer data recovery. If the customer accidentally deletes a file, or a malicious actor with valid credentials deletes data, the provider's backups may not help.
The standard practice is to maintain a separate, independent backup of cloud data using a third-party tool, even when the provider also takes backups. This is increasingly a focus area in ISO 27001 audits, where Annex A 5.23 (Information Security for Use of Cloud Services) explicitly requires organisations to document the shared responsibility model with each cloud provider, including what backup and recovery is the customer's responsibility.
Protection of electronic information beyond backup
Backup is one part of protecting electronic information. The wider controls usually include access management, software updates, malware protection, encryption of sensitive data, secure disposal of IT equipment, and physical security of servers and storage. The IMS1 Section 8 Information Security Management covers these areas in more depth.
For the management system, the most directly relevant controls are folder permissions (so the wrong people cannot delete or alter records), backup of those folders, and encryption or secure handling for any documents marked as confidential. These three together protect documented information from loss, alteration and unauthorised disclosure.
Linking backup to business continuity
Data backup is one input into business continuity, not the whole of it. Business continuity considers what happens when systems are unavailable, regardless of whether the data is recoverable. The F-IMS21 Business Continuity Register typically captures the recovery time objective and maximum tolerated period of disruption for each critical IT system, which then drives the backup frequency and the scale of recovery infrastructure needed.
Organisations certified to ISO 22301 formalise this through a documented business impact analysis, but the same logic applies to organisations using ISO 9001 alone - asking what is the cost of being without this for an hour, a day, a week is the question that drives proportionate backup investment.
The 3-2-1 rule is a good starting point. Three copies, two different media, one off-site. Anything less and you are one bad day away from losing data you cannot rebuild. The hardest part is the testing. Setting up backups is a one-off effort. Testing them is a habit you have to keep going.
The two things I always check on backup are whether the backup is actually happening - I look at recent log entries, not just the policy - and whether the company has ever tested a restore. The number of organisations where the backup is running fine but a restore has never been attempted is much higher than people would expect.
For ISO 27001 audits I am also looking at cloud services specifically. Annex A 5.23 has put cloud computing high on the agenda, and not having a documented exit strategy for each major cloud provider is a finding I see often.
We had a serious scare a few years back when a server failed and the most recent backup was three weeks old. We thought we were on daily backup. We were not - the job had been failing silently and nobody had been checking the logs. Lost a week of orders and three weeks of finished records that we had to manually reconstruct.
Since then we get a backup status email every morning that goes to two people. If the email does not arrive, that is the alert. Simple to set up, has caught problems three or four times since.
Practical compliance guidance
IMS1 Section 1.5.4 Data Backup - Management of Electronic Information covers backup arrangements at a summary level, with detail held on the F-IMS21 Business Continuity Register.
The toolkit provides the business continuity register, a backup policy and supporting guidance, plus the wider information security framework that backup sits within.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Full toolkit covering backup, cloud computing and the wider information security controls expected under ISO 27001. |
| F-IMS21 Business Continuity Register | Register documenting business impact analysis, recovery objectives and continuity arrangements for critical IT systems and data. |
| PP-8-01 Backup Policy and Procedure | Policy and procedure setting out backup frequency, retention, storage and testing requirements. |
| GG-8-02 Data Backup Guidance | Plain-language guidance on applying the backup policy, with practical examples and a backup planning checklist. |
| P-31 Information Protection Policy | Wider information protection policy covering the controls on access, encryption and protection of electronic information. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to data backup
UK legislation does not specify backup frequency or method, but several laws require organisations to maintain accurate, available and protected records, which in practice depends on effective backup. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
