Data Backup Policy: Who, What, How Often, Where To

TL;DR

The data backup policy is the strategic governance document that bindingly defines the principles of data backup. It complements the technical backup concept.
Four questions form the core: Who is responsible? What is backed up? How often? Where to?
RTO and RPO must be defined for each system category and agreed upon with executive management. IT alone cannot make this decision.
Cloud services and SaaS applications must be explicitly included. The assumption that the cloud provider backs up the data is a widespread and dangerous misconception.
Restore tests and their documentation are the most important audit criterion. A backup without a restore test is an unproven hypothesis.

The four questions your data backup policy must answer

When an auditor asks about your data backup, they do not want to see technical configuration details. They want to know whether you have answered the four fundamental questions and whether the answers are documented, approved, and known to those responsible.

Who is responsible for data backup? Not "IT" but named individuals with clearly defined tasks.

What is being backed up? Not "everything" but a differentiated inventory that considers the protection requirements of the data.

How often is data backed up? Not "regularly" but specific intervals derived from business requirements for recoverability. The foundation for this comes from a proper RPO and RTO definition.

Where to is data backed up? Not "to the backup server" but a well-thought-out strategy with local, offsite, and ideally offline backup.

The data backup policy is the document that provides binding answers to these questions. It defines the strategic framework within which IT plans and executes the technical implementation.

Distinction from the backup concept

The data backup policy and the backup concept are frequently conflated but serve different functions.

The data backup policy addresses all stakeholders: executive management, business departments, IT, ISO. It defines principles, responsibilities, and minimum requirements at an abstract level. It is approved by executive management and is part of the ISMS documentation framework.

The backup concept is directed at the IT department. It contains the technical implementation: specific backup jobs, schedules, software used, storage systems, network architecture, and recovery instructions. It is managed by the IT lead.

In a small organization with a manageable IT landscape, both documents can be combined. In larger organizations, separation is advisable because the policy changes less frequently than the concept (new servers, new backup software, changed schedules).

Who: Defining responsibilities

The most common mistake in data backup policies: responsibilities are not assigned or are assigned only vaguely. "IT takes care of it" is not enough. Every task needs a named role and ideally a named individual.

Executive management

Executive management approves the policy, provides the necessary resources (budget, personnel, infrastructure), and bears overall responsibility for data backup as part of the ISMS. They decide on acceptable risks (e.g., when a system cannot achieve the defined RPO values due to technical constraints).

Information Security Officer (ISO)

The ISO creates and maintains the data backup policy, monitors compliance, reports to executive management, and initiates the annual review. They coordinate alignment between IT and business departments regarding requirements.

IT management

IT management is responsible for the technical implementation of the policy in the backup concept, procurement and operation of the backup infrastructure, and adherence to the defined backup intervals and retention periods.

Backup administrator

The backup administrator performs the daily operational work: monitoring backup jobs, responding to error messages, conducting restore tests, documenting results, and escalating problems.

Business departments

Business departments define the business requirements for availability (RTO) and data loss tolerance (RPO) for their data and systems. They report new data assets that need to be included in the backup and validate during restore tests that the restored data is correct and complete.

Deputy arrangements

Each of the named roles must have a designated deputy. The policy ensures that data backup functions seamlessly even during vacation, illness, or personnel changes.

What: Defining backup scope

The policy defines which data and systems are backed up — not as an exhaustive list (which would be immediately outdated) but as a classification scheme with clear assignment criteria.

System categories and backup requirements

Category	Description	Backup interval	RPO	RTO	Examples
Business-critical	Systems whose failure endangers business operations within hours	Multiple times daily	≤ 1 hour	≤ 4 hours	ERP, financial accounting, customer database, email
Important	Systems whose failure impacts business operations within days	Daily	≤ 24 hours	≤ 24 hours	File server, DMS, project management, intranet
Standard	Systems with low immediate business relevance	Weekly	≤ 7 days	≤ 72 hours	Development environments, test systems, archives
Not backup-relevant	Systems that can be rebuilt or restored from other sources at any time	No backup	n/a	n/a	Local caches, temporary files, publicly available data

The assignment of specific systems to categories is done jointly by IT and the respective business department and is documented in the backup concept or an annex to the policy. ISMS Lite provides the relevant data backup controls from ISO 27001, BSI IT-Grundschutz, and other frameworks — each with practical implementation guidance that serves as a foundation for system categorization.

What must be backed up

The policy clarifies that the backup must include at least the following elements:

Application data: Databases, files, emails, documents
System configurations: Server configurations, network configurations, firewall rules
Active Directory / Identity Provider: User accounts, group policies, permissions
Certificates and keys: TLS certificates, signing keys, backup encryption keys (backed up separately!)
Security infrastructure configurations: Firewall rules, IDS/IPS configuration, SIEM configuration

Cloud services and SaaS

This point deserves special attention because it is missing from many policies. The assumption that cloud providers automatically back up data is widespread and dangerous.

Microsoft 365, Google Workspace, Salesforce, and other SaaS services protect their infrastructure, not your data. Deleted emails, SharePoint documents, or CRM records are irretrievably lost after a limited retention period (typically 30 to 93 days).

The policy must require that SaaS data is included in the data backup strategy and that each cloud service is evaluated to determine whether a separate backup solution is necessary.

How often: Backup intervals and methods

The frequency of backup is derived directly from the RPO (Recovery Point Objective) — the maximum acceptable data loss. If the RPO is one hour, backups must be performed at least hourly.

Backup methods

The policy defines the permitted backup methods:

Full backup: Complete copy of all data. Foundation of every backup strategy. Due to high storage and time requirements, typically performed weekly or monthly.

Incremental backup: Backs up only the changes since the last backup (of any type). Storage-efficient, but restoration requires the complete chain of all incremental backups since the last full backup.

Differential backup: Backs up all changes since the last full backup. Simpler restoration than incremental (only full backup plus last differential backup needed) but growing storage requirements.

Continuous data protection (CDP): Real-time backup of every change. For business-critical systems with RPO near zero.

Snapshot: Point-in-time copy of a storage volume or virtual machine. Quick to create and restore, but does not replace a full data backup.

Recommended standard combination

For most mid-market companies, the following has proven effective:

Business-critical: Daily incremental backup, weekly full backup, additionally CDP or intraday snapshots
Important: Daily incremental or differential backup, weekly full backup
Standard: Weekly full backup

Backup windows (time periods during which the backup runs) must be planned so they do not impact production operations. For 24/7 systems, incremental backups or CDP are the only practical approach.

Where to: Storage locations and redundancy

The policy must define the storage strategy. The gold standard is the 3-2-1 rule, extended with offline protection:

Local backup (primary)

First backup copy on local storage systems (dedicated backup server, NAS, SAN). Advantages: fast backup and recovery. The policy requires that local backup storage resides in a separate network segment and is not reachable with the same credentials as the production systems.

Offsite backup

Second backup copy at a geographically separate location. Options: second company location, external data center, cloud backup service. The policy defines minimum requirements: location in the EU (or third country with adequacy decision), encryption in transit and at rest, DPA with the service provider, SLA for recovery times.

Offline backup (air-gapped)

Third backup copy on a medium physically disconnected from the network. Tape media, external hard drives in a safe, or a storage system connected to the network only during backup. This point is no longer optional since the increase in ransomware attacks. The policy should define offline backup as mandatory at least for business-critical systems, ideally as immutable backups.

Encryption

All backup copies that leave the company premises (offsite, cloud, tape transport) must be encrypted. The policy references the cryptography policy for the permitted algorithms (minimum standard: AES-256) and requires that encryption keys are stored separately from the backup data.

Retention periods

The policy defines minimum retention periods for backup copies:

Backup type	Minimum retention
Daily backups	30 days
Weekly backups	90 days
Monthly backups	12 months
Annual backups	7 years (or longer, depending on legal requirements)

The periods consider both business requirements and legal retention obligations (HGB, AO) as well as GDPR deletion obligations. The policy references the deletion concept for coordinating retention and deletion.

Restore tests

Restore tests are the litmus test of every data backup. The policy must define them as a binding obligation, not as an optional recommendation.

Frequency: Business-critical systems quarterly, important systems semi-annually, standard systems annually.

Scope: Both individual file restores and complete system restorations. For databases, consistency after the restore must be verified.

Documentation: Every restore test is documented: date, system, backup date, time required, result, problems identified. Documentation is retained and presented in audits.

RTO validation: The actual recovery time is compared with the defined RTO. Deviations are escalated and lead to adjustments in the backup concept.

Business department participation: For restore tests of business-critical systems, the business department validates that the restored data is correct, complete, and usable.

Monitoring, reporting, and escalation

The policy governs ongoing monitoring:

Daily monitoring: Every backup job is monitored automatically. The backup administrator checks results daily and confirms the check.

Error handling: Failed backups are immediately analyzed and made up. Repeated failures are escalated to IT management.

Reporting: Monthly reports on the data backup status feed into the management review. The report includes: backup job success rate, restore tests conducted, open issues, policy compliance status.

Capacity planning: IT monitors storage utilization and plans capacity expansions in time, before backups fail due to insufficient space.

Special cases

Mobile devices

Laptops and mobile devices used outside the corporate network must also be included in the data backup strategy. The policy may require that business data on mobile devices is not stored locally but exclusively on central, backed-up systems (cloud drives, DMS). Alternatively, a client backup solution is deployed that backs up laptops even over VPN or the internet.

Databases

Databases require special backup methods (dumps, log shipping, replication) to ensure consistent backups. The policy references the backup concept for technical details and requires that database restores as part of restore tests verify the consistency and integrity of the restored data.

Virtual infrastructure

For virtualized environments, the policy defines whether VM-level backups (entire VM), application-level backups (data within the VM), or a combination is required. VM snapshots alone are not a full backup and must not serve as a substitute for regular data backup.

Example outline

Purpose and scope
Terms and definitions — RPO, RTO, full backup, incremental, differential, CDP
Normative references — ISO 27001 A.8.13, NIS2 Art. 21 No. 3, BSI IT-Grundschutz
Principles — 3-2-1 rule, encryption requirement, restore test requirement
Responsibilities — Executive management, ISO, IT management, backup admin, business departments
System categories and requirements — Classification table with RPO, RTO, interval
Backup scope — Data, configurations, keys, cloud services
Backup methods — Full, incremental, differential, CDP, snapshot
Storage locations — Local, offsite, offline, encryption
Retention periods
Restore tests — Frequency, scope, documentation, RTO validation
Monitoring and escalation
Reporting — Monthly report, management review
Special cases — Mobile devices, databases, VMs, SaaS
Exceptions and risk acceptance
Review and update
Effective date and approval

From policy to reliable safety net

The data backup policy is one of the documents that can determine your organization's survival in an emergency. A ransomware attack, a hardware failure, a human error — all of this is manageable if the data backup works. And it only works reliably if the principles are documented, responsibilities are clear, and processes are regularly tested.

ISMS Lite supports you with 583 controls from 11 frameworks, including all relevant data backup requirements with practical implementation guidance. The local AI generates your policy, integrated versioning documents every change, and the approval workflow ensures proper sign-off. This turns the data backup policy from a mandatory document into an effective governance instrument.