Backup policies and procedures, restoration and recovery procedures and methods

Article 12 focuses specifically on backup, restoration, and recovery — the last line of defense when systems are compromised, corrupted, or destroyed. In the era of ransomware and destructive cyber attacks, the integrity and availability of backups can determine whether a financial entity survives an incident or faces catastrophic data loss.

The backup policy requirements go beyond simple scheduling. Entities must define the scope of backups (what data and systems are covered), the frequency (aligned with RPOs for critical functions), the retention period, and the methods used. The policy must also address the classification of backup data — backups of restricted data require the same protection controls as the source.

A critical requirement is the physical and logical separation of backup systems from the primary environment. This addresses the growing threat of ransomware attacks that specifically target backup infrastructure. Entities must ensure that a compromise of the production environment cannot cascade to backup systems, which may require air-gapped solutions, immutable storage, or geographically separated backup sites.

Regular testing of restoration procedures is mandatory. An untested backup is an untrustworthy backup. Testing must validate not just that data can be restored, but that it can be restored within the defined RTO, that the restored data is complete and consistent, and that applications function correctly with the restored data. These tests should simulate realistic failure scenarios, not just controlled restores of individual files.