Sensitive data back up

Answer: Your scenario provides a reasonable justification to not backup customer sensitive data, but before going with that decision I would consider what would be the impact, if for any reason, during troubleshooting you render the data useless to proceed with the activity. One example is that you would have to ask for the customer to send the data again. What would be the impact of that situation for you (e.g., for the image of the organization?)

If you evaluate there is no relevant impact regarding this situation, you can go fine with not doing that backup. If you consider that there may be an relevant impact, you can go for an different backup schedule, let's say something like making a single copy of the data, to troubleshoot on it, and keep the original data away from the process, only for as long as the troubleshooting duration. It's the standard procedure used by forensics investigators to work on evidences to preserve their integrity you can adapt to your availability needs.

This article will provide you further explanation about sensitive data back up:
- Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

These materials will also help you regarding sensitive data back up:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/