Backup Strategy
Domain 4 — Information Systems Operations and Business Resilience
Definition
A backup strategy defines what data is backed up, how frequently, to what media type, and how backups are stored and retained. Common approaches include full backups, incremental backups, differential backups, and the 3-2-1 rule (three copies, two media types, one offsite). IS auditors evaluate backup strategies by reviewing backup logs, testing restoration procedures, and verifying that backup frequency aligns with RPO requirements.
Real-World Audit Scenario
I audited a law firm that was "backing up" their document management system by copying files to an external hard drive connected to the same server. When I asked when they had last tested a restoration, they admitted they never had. I asked them to restore a single file from three months ago. The file was corrupted because the backup process did not verify data integrity. Worse, the external drive was in the same server room — a fire or flood would have destroyed both the primary data and the "backup."
Common Exam Trap
A backup that has never been tested is not a backup. The exam distinguishes between "backup" (copying data) and "restoration" (recovering from copies). Both are required. Also, offsite storage of backups is critical — on-site backups do not protect against physical disasters.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →