Backup and Restore
Document ID: DPWAT-ISMS-PROC-004
Version: 1.0
Owner: Administrator — Anna Boros; Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-11-10
Next review: 2027-02-01 (or on major change)
1. Purpose
Define backup and restore activities, including evidence of restore testing (Annex A control A.8.13).
2. Backup approach (cloud-first)
DP WAT uses SaaS providers with built-in replication/version history. For critical DP WAT-managed information, DP WAT decides whether to maintain an additional independent copy.
Minimum requirement (always):
- Ensure version history/retention features are enabled where applicable.
- Ensure repository access is controlled (MFA, least privilege).
Independent copy decision (must be explicit):
- Option A: Perform periodic exports of critical DP WAT-managed information (e.g., ISMS docs, DP WAT-owned code) to an independent location (encrypted), and test restore.
- Option B: Accept the residual risk of provider catastrophic loss/outage; record acceptance in RA-2026-0001-no-independent-backups.
3. Retention periods
DP WAT relies on cloud provider retention capabilities. Retention periods for critical services:
| Service | Retention | Notes |
|---|---|---|
| Google Workspace (Drive) | Unlimited (version history) | Files retained indefinitely unless manually deleted; deleted items recoverable for 25 days |
| GitHub | Unlimited (Git history) | Full commit history retained; deleted repos recoverable for 90 days |
| iCloud | Unlimited (within storage quota) | Files retained while account active |
| Slack | Per workspace plan | Message history per plan limits; exported archives retained indefinitely |
For services with limited retention, periodic exports are performed if business-critical data is at risk.
4. Restore testing
- Perform restore/integrity testing at least annually (or after major changes).
- Record tests in backup-restore-test-log and attach evidence in
07-records/.
Annual test schedule
| Period | Scope | Owner |
|---|---|---|
| June | Google Drive: verify file restoration from version history | Administrator |
| November | GitHub: verify repository clone from backup or re-clone from remote | CISO |
Additional tests are performed after major changes to backup configurations or provider migrations.