Backup Policy vs Backup Plan vs Backup Procedure

Backup Policy vs Backup Plan vs Backup Procedure


Modern-day enterprises implement a flurry of security measures to protect their IT infrastructure from ever-evolving threats. These security measures are present at multiple layers across the infrastructure to act as a strong deterrence to cyber attacks. Because when it comes to maintaining a good security posture, a business must put its best foot forward. Over the years, we have seen that a comprehensive approach, relying on people, process, and technology, yields favorable results for businesses. One such measure that forms a vital component of your security strategy is backup. 

Consider that a ransomware variant has successfully infected a part of your organization’s computer network. It has encrypted data on the infected computer systems, and those systems are now inaccessible. What will you do if one of those systems stores your client data or intellectual property or trade secrets? If you do not have multiple copies of data, you have no other option but to pay the ransom. So, should it be really that case? Well, no. 


Our Cyber Incident Response Team provides an elite response for your organization after a Ransomware or Cyber Extortion Incident. LIFARS executes Bitcoin payments and establishes cyber secure perimeter guided with proper regulatory and legal oversight. Ransomware Response and Cyber Extortion containment is our expertise. 


Importance of backups 

Having multiple copies of data ensures that there is a negligible effect on your business operations. If one of the copies get affected, your company can switch to a different set of data and resume its operations as usual. Apart from cyber attacks, backups protect you from unexpected computer crashes, physical theft of storage devices, failure of hard disk/solid-state drives (HDD/SSD), and physical damage to your laptops or computer systems. 

From an organizational perspective, backups can be either on-site or off-site. On-site backup requires physical infrastructure and off-site backups are possible because of cloud computing. This means that on-site backups involve substantial investments in hardware while off-site backups appear to be a cost-cutting solution. Many of the organizations that we have worked with recently have a document that outlines their backup practices. Some may call it a backup plan, while others may refer to it a backup policy or backup procedure. In the upcoming sections, we explore what each of these documents means along with similarities and differences between them. 


What is a backup policy? 

Control A.12.3.1 of ISO 27001:2013 requires an organization to take and test backup copies of software, information, and system images in line with its backup policy. Further, implementation guidance available for this control in ISO 27002:2013 states that an organization should establish a backup policy to: 

  1. Define its requirements for backup of systems, software, and information; 
  2. Define retention and protection requirements; and 
  3. Ensure the provision of adequate facilities for recovering essential software and information after a media failure or disaster. 

A general interpretation of the implementation guidance hints that a backup policy will be a high-level document. This document will lay down roles and responsibilities, expectations from process/system owners, periodical testing requirements, access-level requirements, documentation needs, etc. 


What is a backup plan? 

Put simply; a backup plan should answer how is your organization taking backups of its software, information, and systems. If you are designing a backup plan, your considerations should include: 

  1. Maintenance of backup copies and creating restoration procedures 
  2. Frequency and extent of backups in line with business requirements, the security of information, and the role of the information involved in your organization’s business continuity 
  3. Storage of backup copies 
  4. Physical and environmental protection for backup copies 
  5. Testing of backup media in line with testing requirements defined in the backup policy 
  6. Encryption requirements for backup copies 

What is a backup procedure? 

As soon as your organization implements a backup plan, regular backups for software, information, and system will start getting created. An operational procedure for backups checks if the execution of backups is proper. It seeks to address the instances where scheduled backups have failed. After finding such instances, an operational procedure should ensure that the requirements given in backup policy and/or backup plan are fulfilled. 


A backup procedure will also cover: 

  1. Regular testing of backup arrangements for systems and services 
  2. Retaining essential business information for the specified duration 
  3. Archival and deletion requirements 


Ending notes 

It is clear from the discussion so far that certain parts of these documents overlap with each other. It would not be correct to say that there is a clear distinction between the three. From what we have seen, some organizations maintain a single document that defines their high-level objectives, execution, and testing of backups. In some cases, an organization may have two documents where one document specifies high-level objectives, and the other document specifies how to achieve those objectives. So, it totally depends on your organization and how it aims to define its backup practices. At the end of the day, the number of documents does not matter, but good security practices most certainly do. We hope that this article clarifies your confusions. If not, tweet us at @LIFARSLLC and let us know.  





  1. ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements 
  2. ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls