Backup policy

ISO 27001 does not prescribe responsibilities about backup, so organizations are free to define them as best fulfill their needs.

Considering that, for defining the responsibilities for the backup process, you should analyze potential risks (e.g., lack of knowledge, human error, sabotage, etc.), and applicable legal requirements (e.g., laws, regulations, and contracts), to identify how responsibilities should be defined.

For example, through risk analysis, you may find that there are no relevant risks if the DBA is responsible for taking and storing the Backup, but you may have a contract with a client that defines a different role to be responsible for the backup process (e.g., the backup should be performed and managed by a system administrator).

To see how a backup policy compliant with ISO 27001 looks like, please access the demo template at this link: https://advisera.com/27001academy/documentation/backup-policy/

These articles will provide you a further explanation about defining responsibilities:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

These materials will also help you regarding the definition of responsibilities:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/