Encryption for Backup/Restore

1 - Do we need to encrypt all data during the backup/Restore process or not?

According to ISO 27001, the need for encryption of backup tapes will depend on the results of risk assessment and identified legal requirements.

If you do not have risks, or legal requirements, that justify the implementation of encryption, you do not need to implement it.

This article will provide you with a further explanation about controls selection:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2 - If yes , do we need to encrypt all the data or we need to classify the data?

In case you have risks or legal requirements that justify implementing encryption, the data to be encrypted will depend on the rules defined by the organization, usually defined in the Information Classification Policy.

So, before defining which data will be classified, you will need to classify it first.

For further information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

3 - Who will decide what data should be encrypted?

The person who will decide if data should be encrypted or not is the person responsible for the data (also called in ISO 27001 as information owner). The decision will be related to the classification level attributed to the data.