Expert Advice Community

Backup policy vs Backup standard

  Quote
Created:   Apr 16, 2019 Last commented:   Apr 17, 2019

Backup policy vs Backup standard

Hi, I work in a company that is owned by a parent company, the parent gives us direction but the ISO27001 cert we have only scopes our company and not the parent. Therefore a third party to us? I have been requested to create a backup standard for us and use the parent companies backup policy as a guideline for the standard? If i look at the ISO standard: A.12.3.1 - Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy........ My understanding is that you shall conform to the policy and not a standard, so if i create a standard for us (ISO27001 scope) then i would expect that we do not have a policy as the parent is not in our scope? Thanks in advance
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 17, 2019

>1. I work in a company that is owned by a parent company, the parent gives us direction but the ISO 27001 cert we have only scopes our company and not the parent. Therefore a third party to us?

Answer: Since only your company is in the ISMS scope, then your parent company can be seen as as third party (like a customer to which requirements you have to fulfill).

>2. I have been requested to create a backup standard for us and use the parent companies backup policy as a guideline for the standard? If I look at the ISO standard: A.12.3.1 – Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy… My understanding is that you shall conform to the policy and not a standard, so if I create a standard for us (ISO 27001 scope) then I would expect that we do not have a policy as the parent is not in our scope?

Answer: Considering control A.12.3.1, you can see as an "agreed policy" either a document developed by your own company, or a requirement defined by an interested party (in this case, your pa rent company) that you have to fulfill as guideline for the backup process (what must be done), which details on how you perform the process is described in your backup standard.

Considering that, you can consider the backup policy of your parent company as a requirement for your ISMS, and this can be used to fulfill the requirements of control A.12.3.1

This article will provide you further explanation about backup:
- Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 16, 2019

Apr 17, 2019