Backup and Recovery Standard
A backup and recovery standard specifies the technical requirements that data protection mechanisms must satisfy to ensure organisational data remains recoverable following loss, corruption, or disaster. This standard establishes minimum requirements for backup frequency, retention duration, recovery speed, geographic distribution, and security controls. Individual systems may impose stricter requirements based on data criticality or regulatory obligations, but no system storing organisational data may operate below these baselines.
The standard applies to all data under organisational control, including data stored in cloud services, on-premises infrastructure, endpoint devices, and third-party platforms where the organisation maintains data ownership. Data managed entirely by third parties under their retention policies falls outside this standard’s direct scope, though vendor assessments must verify adequate backup capabilities exist and recovery testing occurs.
- Backup
- A copy of data created at a specific point in time, stored separately from the primary data, and usable to restore the original data state.
- Recovery Point Objective (RPO)
- The maximum acceptable age of data that can be recovered. An RPO of 4 hours means the organisation accepts losing up to 4 hours of data changes in a recovery scenario.
- Recovery Time Objective (RTO)
- The maximum acceptable duration between failure and restoration of service. An RTO of 2 hours means systems must be operational within 2 hours of a recovery decision.
- Immutable backup
- A backup that cannot be modified, encrypted, or deleted for a defined retention period, even by administrators with full system access.
- Air-gapped backup
- A backup stored on media physically or logically disconnected from production networks, inaccessible to attackers who compromise primary systems.
System tiering
Backup requirements scale with system criticality. Each system must be assigned to a tier based on its role in organisational operations and the impact of its unavailability.
| Tier | Definition | Examples |
|---|---|---|
| Tier 1 | Mission-critical systems whose unavailability halts core operations or creates immediate safety, legal, or financial harm | Finance system, identity provider, case management with active beneficiary data, emergency communications |
| Tier 2 | Business-critical systems whose unavailability significantly impairs operations but does not halt them | Email, collaboration platforms, CRM, HR system, project management |
| Tier 3 | Business-supporting systems whose unavailability causes inconvenience but operations continue through workarounds | Internal documentation, development environments, archived project data |
| Tier 4 | Non-critical systems that can be rebuilt from scratch without significant impact | Test environments, temporary project storage, cached data |
Tier assignment must be documented for each system and reviewed annually or when system function changes materially. Systems processing personal data of vulnerable populations or protection-sensitive information default to Tier 1 regardless of other factors.
Recovery objectives by tier
Recovery objectives establish the maximum acceptable data loss and downtime for each system tier. These objectives drive backup frequency, retention, and recovery infrastructure requirements.
| Tier | RPO | RTO | Recovery verification |
|---|---|---|---|
| Tier 1 | 1 hour | 4 hours | Monthly recovery test to alternate environment |
| Tier 2 | 4 hours | 24 hours | Quarterly recovery test |
| Tier 3 | 24 hours | 72 hours | Semi-annual recovery test |
| Tier 4 | 7 days | 1 week | Annual verification that backup exists |
The RPO directly determines minimum backup frequency. A system with a 4-hour RPO requires backups at least every 4 hours. Transaction log shipping, continuous data protection, or synchronous replication may supplement periodic backups for systems requiring sub-hour RPOs.
The RTO determines recovery infrastructure investment. A 4-hour RTO for a complex system requires pre-provisioned recovery infrastructure, tested runbooks, and on-call personnel. A 72-hour RTO permits cold recovery from stored media with infrastructure provisioned during recovery.
Calculating recovery objectives
Recovery objectives derive from business impact analysis rather than technical convenience. For each system, determine:
- The financial cost per hour of system unavailability (staff idle time, lost transactions, contractual penalties)
- The operational impact of unavailability (beneficiaries unable to receive services, partner coordination disrupted, reporting deadlines missed)
- The data sensitivity and regulatory requirements (personal data, donor requirements, legal holds)
- The reputational impact of extended outage or data loss
A finance system processing £50,000 daily with month-end close deadlines and donor reporting requirements warrants Tier 1 classification with 1-hour RPO and 4-hour RTO. A staff training platform with pre-recorded content and flexible completion deadlines warrants Tier 3 classification with 24-hour RPO and 72-hour RTO.
Backup frequency requirements
Backup frequency must satisfy RPO requirements while accounting for backup duration, system load impact, and storage costs.
| Backup type | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| Full backup | Weekly | Weekly | Monthly | Monthly |
| Incremental backup | Every 1 hour | Every 4 hours | Daily | Weekly |
| Transaction log backup (databases) | Every 15 minutes | Every 1 hour | Every 4 hours | Not required |
| Snapshot (virtual machines, cloud resources) | Every 4 hours | Daily | Weekly | Not required |
Full backups capture complete system state but require substantial time and storage. A 500GB database full backup taking 2 hours cannot run hourly. Incremental backups capture only changes since the last backup, completing quickly but requiring the full backup plus all subsequent incrementals for recovery. Transaction log backups for databases enable point-in-time recovery to any moment between backups.
Backup windows
Backups must complete within defined windows to avoid impacting production operations:
| Backup type | Maximum duration | Scheduling constraint |
|---|---|---|
| Full backup | 8 hours | Outside peak usage hours; weekend preferred for large systems |
| Incremental backup | 1 hour | May run during production hours if performance impact under 10% |
| Transaction log backup | 15 minutes | Continuous; no scheduling constraint |
| Snapshot | 30 minutes | May run during production hours |
Backups exceeding their window threshold indicate undersized infrastructure, inefficient backup methods, or excessive data growth requiring architectural review.
Retention requirements
Retention periods determine how long backups remain available for recovery. Retention balances recovery flexibility against storage costs and data protection obligations.
| Retention tier | Daily backups | Weekly backups | Monthly backups | Yearly backups |
|---|---|---|---|---|
| Standard | 7 days | 4 weeks | 12 months | 3 years |
| Extended (regulatory) | 14 days | 8 weeks | 24 months | 7 years |
| Minimal (Tier 4 systems) | 3 days | 2 weeks | 3 months | None |
Standard retention applies to all Tier 1, 2, and 3 systems unless regulatory or contractual requirements mandate extended retention. Extended retention applies to financial records, HR data, and systems subject to donor audit requirements. Minimal retention applies only to Tier 4 systems with no regulatory obligations.
Retention worked example
A Tier 2 email system with standard retention maintains:
- 7 daily backups (one per day for the past week)
- 4 weekly backups (Sundays from the past month)
- 12 monthly backups (first Sunday of each month for the past year)
- 3 yearly backups (January 1 for the past 3 years)
Total backup count: 7 + 4 + 12 + 3 = 26 distinct recovery points spanning 3 years. Storage requirement equals approximately 3x the system’s data size, assuming 60% deduplication efficiency across backup generations.
For a 200GB email system:
- Raw backup data without deduplication: 200GB × 26 = 5,200GB
- With 60% deduplication: 5,200GB × 0.4 = 2,080GB
- With compression (typical 2:1 for email): 2,080GB × 0.5 = 1,040GB
Storage planning must account for data growth. A system growing 20% annually requires storage capacity for projected size at the end of the longest retention period.
Geographic and offsite requirements
Backups must be stored in locations that survive events affecting primary data. A backup stored on the same physical server as production data provides no protection against hardware failure, fire, or ransomware.
| Requirement | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| Minimum copy count | 3 | 3 | 2 | 1 |
| Offsite copy required | Yes | Yes | Yes | No |
| Geographic separation | Different region (>100km) | Different site | Different site | Same site acceptable |
| Air-gapped copy required | Yes | Recommended | No | No |
| Immutable copy required | Yes | Yes | Recommended | No |
The 3-2-1 rule provides a baseline: maintain 3 copies of data, on 2 different media types, with 1 copy offsite. For Tier 1 systems, extend this to 3-2-1-1: add 1 immutable or air-gapped copy.
Cloud backup geography
Cloud backups must consider data residency requirements and provider failure scenarios. Backups stored in the same cloud provider region as production data do not survive region-wide outages. Cross-region replication addresses single-region failure but not provider-wide incidents or account compromise.
| Configuration | Protects against | Does not protect against |
|---|---|---|
| Same region, same account | Hardware failure, data corruption | Region outage, account compromise, provider failure |
| Cross-region, same account | Hardware failure, region outage | Account compromise, provider failure |
| Cross-region, separate account | Hardware failure, region outage, single account compromise | Provider-wide failure, coordinated attack on both accounts |
| Different provider | Hardware failure, region outage, primary provider failure | Coordinated attack, data corruption replicated before detection |
Tier 1 systems require backups in at least two of: primary cloud provider cross-region, separate cloud provider, or offline/air-gapped media. This ensures recoverability even if the primary cloud provider experiences complete failure or the organisation’s account is compromised.
Backup security requirements
Backups contain the same sensitive data as production systems and require equivalent security controls. A backup lacking encryption or access controls provides attackers an unprotected copy of organisational data.
Encryption requirements
| Requirement | Specification |
|---|---|
| Encryption at rest | All backups must be encrypted with AES-256 or equivalent |
| Encryption in transit | All backup transfers must use TLS 1.2 or higher |
| Key management | Backup encryption keys must be stored separately from backup data; compromise of backup storage must not expose encryption keys |
| Key rotation | Encryption keys must rotate annually; old keys retained only as long as backups encrypted with them exist |
| Key escrow | Recovery encryption keys must be escrowed such that departure of key custodians does not prevent recovery |
Encryption keys stored alongside backup data provide no protection. An attacker obtaining backup files from cloud storage also obtains the means to decrypt them if keys reside in the same location. Store encryption keys in dedicated key management systems, hardware security modules, or physically separate secure storage.
Access control requirements
| Requirement | Specification |
|---|---|
| Administrative access | Backup system administration limited to dedicated backup administrators; production system administrators must not automatically have backup access |
| Separation of duties | No single individual should be able to both delete production data and delete all backup copies |
| Service accounts | Backup service accounts must have minimum necessary permissions; read-only to source data, write-only to backup storage where possible |
| Access logging | All backup administrative actions must be logged with timestamp, actor identity, and action performed |
| Access review | Backup system access must be reviewed quarterly |
Immutability requirements
Immutable backups cannot be modified or deleted before their retention period expires, even by administrators with full system access. Immutability protects against ransomware that targets backups, insider threats, and accidental deletion.
| Tier | Immutability requirement |
|---|---|
| Tier 1 | At least one backup copy must be immutable for minimum 30 days |
| Tier 2 | At least one backup copy must be immutable for minimum 14 days |
| Tier 3 | Immutability recommended but not required |
| Tier 4 | No immutability requirement |
Immutability mechanisms include:
- Object lock with compliance mode (cloud storage)
- WORM (Write Once Read Many) storage media
- Air-gapped storage disconnected after backup completion
- Separate administrative domain requiring distinct credentials for deletion
Governance mode immutability, which permits deletion by users with special permissions, provides reduced protection compared to compliance mode, which prevents deletion by anyone including cloud provider support. Tier 1 systems require compliance mode or equivalent.
Testing requirements
Untested backups provide false confidence. A backup that cannot be restored is not a backup. Regular testing verifies that backup data is complete, uncorrupted, and recoverable within RTO targets.
| Test type | Purpose | Frequency by tier |
|---|---|---|
| Backup completion verification | Confirm backup jobs complete successfully without errors | Daily (automated) |
| Backup integrity check | Verify backup data is readable and passes checksums | Weekly (automated) |
| File-level recovery test | Restore individual files or records to verify recoverability | Monthly (Tier 1-2), Quarterly (Tier 3-4) |
| System recovery test | Restore complete system to alternate environment and verify functionality | Quarterly (Tier 1), Semi-annually (Tier 2), Annually (Tier 3-4) |
| Disaster recovery exercise | Simulate major incident and execute full recovery procedures | Annually (all tiers) |
Recovery test requirements
System recovery tests must validate actual recoverability, not merely that restoration completes without errors.
| Validation | Requirement |
|---|---|
| Data completeness | Verify record counts match expected values; spot-check specific records |
| Application functionality | Start application and complete representative transactions |
| Integration verification | Confirm connections to dependent systems function correctly |
| Performance baseline | Verify recovered system meets performance requirements |
| Recovery time measurement | Document actual recovery duration and compare to RTO |
Recovery tests must use production backup data restored to isolated environments. Tests using specially prepared test data do not validate production backup recoverability.
Test documentation
Each recovery test must produce documentation including:
- Test date and participants
- System(s) tested
- Backup date and type used
- Recovery procedure followed
- Actual recovery time versus RTO
- Issues encountered and resolution
- Data validation results
- Pass/fail determination
- Remediation actions for any failures
Failed recovery tests require root cause analysis and remediation within 14 days for Tier 1 systems, 30 days for Tier 2, and 60 days for Tier 3-4. Remediation must be followed by successful retest.
Backup monitoring and alerting
Backup failures must be detected and addressed promptly. A failed backup discovered only when recovery is needed provides no value.
| Alert condition | Severity | Response time |
|---|---|---|
| Backup job failure | High | 4 hours |
| Backup completion outside window | Medium | 24 hours |
| Backup size anomaly (>50% change) | Medium | 24 hours |
| Storage capacity warning (>80% full) | Medium | 72 hours |
| Storage capacity critical (>90% full) | High | 24 hours |
| Replication lag exceeds RPO | Critical | 1 hour |
| Immutable backup deletion attempt | Critical | 1 hour |
| Backup encryption failure | Critical | 4 hours |
Alert response must be assigned to specific roles with documented escalation paths. Unacknowledged critical alerts must escalate automatically.
Backup reporting
Regular reporting maintains visibility into backup health and compliance:
| Report | Frequency | Audience |
|---|---|---|
| Backup job status (success/failure) | Daily | Backup administrators |
| Backup compliance summary (systems meeting/missing requirements) | Weekly | IT management |
| Recovery test results | After each test | System owners, IT management |
| Backup storage utilisation and growth trends | Monthly | IT management, finance |
| Backup standard compliance audit | Quarterly | Information security, senior management |
Backup data lifecycle
Backup data follows a defined lifecycle from creation through eventual destruction.
+-------------------------------------------------------------------+| BACKUP DATA LIFECYCLE |+-------------------------------------------------------------------+| || +----------+ +----------+ +----------+ +----------+ || | | | | | | | | || | Create +---->+ Verify +---->+ Store +---->+ Replicate| || | | | | | | | | || +----------+ +----------+ +----------+ +----+-----+ || | || +--------------------------------------------------+ || | || v || +----+-----+ +----------+ +----------+ +----------+ || | | | | | | | | || | Monitor +---->+ Age +---->+ Expire +---->+ Destroy | || | | | | | | | | || +----------+ +----------+ +----------+ +----------+ || || Retention clock starts at creation || Immutability prevents early transition to Expire || Destruction requires verification of newer valid backups || |+-------------------------------------------------------------------+Figure 1: Backup data lifecycle from creation through destruction
Backup destruction must verify that newer backups covering the same data exist and are recoverable before removing older backups. Automated retention policies must include this verification to prevent accidental deletion of the only valid backup copy.
Special considerations
Database backup requirements
Databases require application-consistent backups that capture a transactionally coherent state. File-level backups of database files while the database is running produce corrupted, unrecoverable backups.
| Database backup method | Consistency | Recovery granularity |
|---|---|---|
| Native dump (pg_dump, mysqldump, RMAN) | Application-consistent | Full database or schema |
| Transaction log backup | Application-consistent | Point-in-time |
| Snapshot with quiesce/freeze | Crash-consistent | Point-in-time of snapshot |
| Snapshot without quiesce | Crash-consistent (requires recovery) | Point-in-time of snapshot |
| File copy while running | Inconsistent (unusable) | None |
Tier 1 and Tier 2 databases require point-in-time recovery capability through transaction log backups. A 15-minute transaction log backup interval permits recovery to any point with maximum 15 minutes data loss, satisfying 1-hour RPO with margin.
Cloud service backup requirements
Cloud SaaS applications may not provide native backup capabilities or may retain deleted data for limited periods. The organisation must verify backup coverage for each cloud service.
| Backup scenario | Organisational responsibility |
|---|---|
| Provider offers backup with adequate retention and recovery | Verify provider backup meets standard requirements; document in vendor assessment |
| Provider offers backup with inadequate retention | Implement supplementary backup using API export or third-party backup service |
| Provider offers no backup | Implement backup using API export or third-party backup service; evaluate whether service is acceptable for data classification |
| Provider backup inaccessible to customer | Treat as no backup; implement independent backup |
Cloud provider backup that the organisation cannot independently restore (requiring provider support intervention) does not fully satisfy backup requirements. The organisation must maintain the ability to recover without depending on provider cooperation.
Endpoint backup requirements
Endpoints (laptops, mobile devices) present backup challenges due to intermittent connectivity, diverse locations, and user-controlled data storage.
| Endpoint type | Backup approach | Frequency |
|---|---|---|
| Organisation-managed laptop | Cloud backup agent or sync to organisational storage | Continuous when connected |
| Organisation-managed mobile | MDM-managed backup to organisational cloud | Daily when connected |
| BYOD with organisational data | Organisational data in managed applications with cloud sync; device backup is user responsibility | Per application sync settings |
| Shared/kiosk devices | No local data storage; all data in cloud services | Not applicable |
Endpoint backups must encrypt data before transmission and at rest. Backup of endpoints to personal cloud storage (user’s personal iCloud, Google Drive, or Dropbox) is prohibited for organisational data.
Field office and low-connectivity backup
Offices with limited or intermittent connectivity require adapted backup approaches that function despite bandwidth constraints.
| Connectivity scenario | Backup approach |
|---|---|
| Reliable broadband (>10 Mbps) | Standard cloud backup |
| Limited bandwidth (1-10 Mbps) | Local backup with scheduled replication to central site during off-hours |
| Intermittent connectivity | Local backup to NAS with opportunistic replication; local retention extended to 30 days |
| Offline or severely constrained | Local backup to removable media; periodic physical transport of media to central site |
Field offices with local backup must maintain at least two local copies on separate devices. A single local backup drive provides no protection against device failure, theft, or office-level disaster.
Exceptions
Exceptions to this standard require documented approval from the information security function and the system owner’s management chain. Exception requests must include:
- Specific requirement(s) to be excepted
- Business or technical justification demonstrating why compliance is not feasible
- Compensating controls implemented to reduce residual risk
- Risk assessment with explicit residual risk acceptance by accountable business owner
- Review date (maximum 12 months)
- Accountable individual for ongoing exception management
Systems operating under exception must be reviewed at each exception renewal to determine whether changed circumstances permit standard compliance. Exceptions for Tier 1 systems require senior management approval and quarterly review.