Hi, i was wondering what evidence a auditor would be looking for when reviewing a Backup/Restore test as advised in A.12.3?
Would screenshots, a step by step procedure be sufficient?
Thanks in advance.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Expert
Rhand Leal
Apr 07, 2019
Answer:
Examples of evidences for Backup/Restore test are:
- A filled form or screenshot identifying which information was requested to be backed up, the requester, the date of request, the date when the backup was performed, the result of the backup procedure (successful / fail) and where the backup was stored.
- A general schedule of the backup to be performed, identifying which information is planned to be backed up, the requester, the dates planned for backup, and where the backup must be stored
- A filled form or screenshot identifying which information was requested to be restored, the requester, the date of request, the date when the restore was performed, and the result of the restore procedure (successful / fail)
A backup procedure can't be used as evidence, because it is the starting point from which the auditor will verify if what was planned is being executed, so the backup procedure by itself is not enough.
This article will provide you further ex planation about backup:
- Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/
Examples of evidences for Backup/Restore test are:
- A filled form or screenshot identifying which information was requested to be backed up, the requester, the date of request, the date when the backup was performed, the result of the backup procedure (successful / fail) and where the backup was stored.
- A general schedule of the backup to be performed, identifying which information is planned to be backed up, the requester, the dates planned for backup, and where the backup must be stored
- A filled form or screenshot identifying which information was requested to be restored, the requester, the date of request, the date when the restore was performed, and the result of the restore procedure (successful / fail)
A backup procedure can't be used as evidence, because it is the starting point from which the auditor will verify if what was planned is being executed, so the backup procedure by itself is not enough.
This article will provide you further ex planation about backup:
- Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/
Comment as guest or Sign in
Apr 04, 2019
Apr 07, 2019
Apr 07, 2019