Questions about the backup policy

Do we need to check if these back-ups are running properly Or is that something that the service provider needs to do? As per ISO27001, is it sufficient if we regularly back-up our data, and do some mock-drill once in a while, OR do we need to check every month if these back-ups are ok?

Answer:
Yes, you need to check if your backups are running properly, it is one of the points that you need to consider when designing a backup plan (this is the common document that most of companies use basically to define when and how perform the backups and tests). Tests can help you to avoid backups with errors, which means you can avoid to lose information. And if the backup is performed by a service provider, you can request records that show you that the backup was performed correctly.

By the way, the backup policy is not a mandatory document, but it can be a best practice for your company, so maybe our template can help you (you can see a free ver sion clicking on “Free demo” tab) “Backup policy” : https://advisera.com/27001academy/documentation/backup-policy/

Regarding your second question, in the Annex A of ISO 27001 you have the control A.12.3.1, which establishes in a clear way that the backup should be taken and tested regularly in accordance with an agreed backup policy, so you can establish the frequency that you want for the the backups (and test), so every month can be good to check your backups, anyway, this article can help you to determine the frequency “Backup policy – How to determine backup frequency” : https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

Finally, our only course can be also interesting for you because we give interesting information about the security controls of the Annex A of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/