Backup policy vs. Backup procedure

Answer:

You should take care not to write the same rules in two different documents - so if you write the frequency in your Backup policy, you should not write the same thing in your Backup procedure.

The difference between these two documents is that the Backup policy defines what you want to achieve with the backup (e.g. frequency), while in Backup procedure you define detailed process, roles and responsibilities, etc.

Hi,

please correct if my understanding is wrong:

When we read ISO 27001:2013 in 12.3 , we notice that they speak about backup policy , and backup procedure  and backup plan:

so  we should prepare tree documents

- the first one is backup policy we should speak about requirements in general like the backup's methods( without choose the method we choose the method in procedure??) , different storage media, definition of backup procedure , definition of backup plan, the definition of frequency..............)

- the second one is backup procedure  , it is  how we should do for backup means i write step by step how i do my backup and who is the responsibles 

- the third one is backup plan , we should prepare a plan, in this plan i should notice for each information needs backup  the frequency of backup  ( exp:2 per week), which type of storage media i should use , the place where i should put my backups ( secure place) ............

can you please help me for understanding 

thank you so much

The control A.12.3.1 of the Annex A of ISO 27001:2013 only speaks about backup policy, although you can also have a backup procedure (the differences are in the answer of Dejan), but keep in mind that it is not mandatory to have a document for both, but can be a best practice (mainly the backup policy). 
The information that you include for the backup plan (frequency of backup, type of storage media, etc.) is the same that the information that generally is included in the backup policy, so you do not need a backup plan if you already have a backup policy.
Anyway, if you are interested in a backup policy, our template can be useful for you (you can see a free version clicking on "Free Demo" tab) "Backup Policy" : https://advisera.com/27001academy/documentation/backup-policy/

thank you Antonio for your reply , but we have many activities and each activity need backup  means each activity has its frequency of backup  it depends of criticality of activity  ( i have many plan ) so i put all this details in policy?  is not detailed to a policy ?? and who should write this policy security direction for the information systems?

thank you

Hello - said
thank you Antonio for your reply , but we have many activities and each activity need backup  means each activity has its frequency of backup  it depends of criticality of activity  ( i have many plan ) so i put all this details in policy?  is not detailed to a policy ?? and who should write this policy security direction for the information systems?

thank you 

frequency is depend of RPO recovery point objective . that already we had for each activity

From my point of view it is better if you put all information in the same document, I mean in the backup policy. You can include in the backup policy the details of frequency of the different activities, it is not a problem.

Regarding your second question, from my point of view, the document could be written by the responsible of backups (or by an IT expert in backups), and could be reviewed and/or approved by the CISO or by the Head of IT department.

This article about the CISO can be interesting for you "What is the job of Chief Information Security Officer (CISO) in ISO 27001?" : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/