Backup and Retention

A policy should be in place which outlines the frequency of backups, the retention period, and the schedule for testing backups. All backups should be tested regularly.

Control Objective

  • Policy is documented, followed, reviewed, updated, and tested regularly
  • Regular backups are taken and tested regularly in accordance with backup policy
  • Frequency and completeness should be based on the criticality of the information (e.g. 6 months for high criticality information)