Backup policy – How to determine backup frequency

Did you think that the frequency of backup is based on the IT manager’s whims? Or, perhaps, based on the least expensive solution? Well, you are wrong.

Backup policy, or to be precise – the most important part of this policy – how often the backup is to be performed, must be based on analysis. And such analysis must be based on the business value of the data in question.

Recovery Point Objective (RPO) / Maximum Data Loss

This analysis is emphasized in ISO 22301, the leading business continuity standard. It specifies that Recovery Point Objective and Maximum Data Loss have the same meaning: “Point to which information used by an activity must be restored to enable the activity to operate on resumption.” This is basically the answer to the question How much data can you afford to lose?

The easiest way to perform this kind of analysis is during the business impact analysis (BIA), because that is when you have to complete all these interviews/questionnaires, so a couple more questions won’t disturb anyone. (Read also: Five Tips for Successful Business Impact Analysis.)

Best practice for BIA

When performing the BIA, you have to ask your respondents to list all their databases, applications and files, but also all services (e.g. email), etc., and for each of them separately to state the acceptable limit up to which you can afford to lose the data. Usually, this limit is displayed in number of hours, but sometimes it can also be in number of transactions or records.

The main criteria while doing the analysis must be the damage of any potential data loss to the company – in terms of money or other impacts like legal, reputation, etc. Also, while doing such analysis it is important not to be distracted by the fact that you already have the backup. The question is – if your existing backup fails, how much data can you really afford to lose?

The result is RPO/Maximum Data Loss – in some cases it will be 24 hours (the data you created in the last 24 hours), in others, perhaps 2 hours, but sometimes you won’t be able to afford the loss of a single bit of information – this is where RPO is zero.

Implications for backup frequency

Let’s take two examples from a bank – in the first example, in the loan application process, the bank can probably afford to lose 24 hours of data, because it won’t be very difficult to recreate the data by asking potential clients to send that information again. However, in the case of payment processing, the banks typically cannot afford to lose a single transaction – this is because of the huge volume of transactions and the inability to track back who has given which payment order if all the data is lost.

The conclusions here are actually very simple – if the analysis shows that the RPO/Maximum Data Loss is 24 hours, then you have to perform backup at least once a day; if the RPO is 2 hours, then backup has to be done at least every two hours; if RPO is zero, then you need to have a mirrored site with replication of data in real time.

But, as always, there is also the question of price – someone may say that doing the backup every 2 hours is too expensive. While this may really be so, the real question is what would be the damage to the whole business if you really lose all this data.

Click here to download a free preview of  Business Impact Analysis Questionnaire template.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.