BCM-004 Backup Policy and Implementation
Description
Data and system backups are performed at a frequency that satisfies the defined RPO. Backups include application data, system state, and configuration. Backup copies are stored off-site or in a geographically separate cloud region. Backup data is encrypted at rest. Access to backups is restricted to authorised personnel.
Rationale
Backups are the technical mechanism that makes RPO commitments achievable. Encryption and off-site storage protect backup integrity and ensure usability after a primary-site failure.
Framework Mappings (5)
| BCR-08 | Backup | full |
| 8.13 | Information backup | full |
| CP-6 | Alternate Storage Site | full |
| CP-9 | System Backup | full |
| A1.2 | Environmental Protections, Software, Data Back-Up Processes, and Recovery Infrastructure | partial |
Evidence (2)
Backup system configuration showing backup frequency, scope, encryption at rest, off-site or cross-region storage, and access restrictions for production data and systems.
Example: AWS Backup plan configuration export or Veeam/equivalent backup policy screenshot showing backup frequency, retention settings, encryption (KMS key or equivalent), storage location (cross-region bucket or off-site), and IAM access policy for backup storage
Test: Review the backup system configuration. Verify: (1) backup frequency meets or exceeds the RPO for each covered service; (2) backup scope includes application data, system state, and configuration; (3) backups are stored in a geographically separate region or off-site location; (4) backup data is encrypted at rest using an approved key; (5) access to backup storage is restricted to named authorised roles.
Backup job completion logs showing successful backup execution at the defined frequency for all critical systems.
Example: AWS Backup job history export, or equivalent backup tool job log, for the past 30 days, showing job name, target resource, start time, completion status, and size
Test: Review backup job logs for the last 30 days. Verify: (1) backup jobs ran at or above the defined frequency for all critical systems; (2) all jobs completed with a success status; (3) any failed backup jobs have a corresponding incident or remediation record; (4) no critical system has a gap in backup coverage exceeding the RPO window.
Questions (2)
Are data and system backups performed at a frequency that satisfies the defined RPO, with backups stored off-site or in a separate cloud region, encrypted at rest, and access restricted to authorised personnel?
Backups should cover application data, system state, and configuration. Encryption using a managed KMS key and IAM-restricted access to backup storage are expected.
Which of the following characteristics apply to your production backup implementation?
All six characteristics are expected for a production backup implementation that satisfies RPO commitments and audit requirements.