1. Document Control

• Document Title: Backup and Restoration Procedure

• Document Identifier: PRC-IT-006

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Director of IT Operations>

• Approved By: <Information Security Governance Committee>

2. Purpose

The purpose of this Backup and Restoration Procedure is to ensure that can reliably recover data and systems in the event of data loss, corruption, system failure, or disaster. It establishes a formal process for securely backing up critical data, validating backup integrity, and restoring systems within recovery time objectives (RTOs) and recovery point objectives (RPOs).

This procedure ensures compliance with ISO/IEC 27001:2022 controls A.8.13 and the SOC 2 Availability criteria (A1.1, A1.2), which mandate that organizations must implement mechanisms to restore data to a consistent state and ensure system availability in the event of an incident.

3. Scope

This procedure applies to all information systems, applications, databases, and infrastructure components classified as critical or high priority under 's business impact analysis (BIA). It covers both on-premises and cloud-hosted environments and includes data generated, stored, or processed by employees, contractors, and third-party systems under the organization’s control.

Excluded from scope are personal devices not enrolled in corporate endpoint management and data classified as "low importance" as defined in the Information Classification Policy.

4. Policy Statement

shall implement a robust and automated backup management process that ensures:

1. Critical systems and data are backed up at a frequency aligned with business requirements.

2. Backup copies are stored securely, both onsite and offsite/cloud-based.

3. Encryption is enforced for data-at-rest and in-transit within backup environments.

4. Backups are regularly tested to confirm integrity and restorability.

5. Recovery operations are documented, tested, and refined at least annually.

6. Backup failures or anomalies are logged and escalated for resolution within SLA.

7. Backup retention policies comply with regulatory, legal, and business obligations.

All employees responsible for managing backup systems must comply with this procedure, and any changes to backup scope or tools must go through change management.

5. Safeguards

6. Roles and Responsibilities

• Director of IT Operations: Oversees the entire backup and restoration program, including reviews and tool selection.

• Backup Administrator: Executes and monitors daily backup jobs, reports anomalies, and performs restorations.

• IT Security Team: Ensures backups meet encryption, access control, and monitoring requirements.

• System/Application Owners: Validate backup scopes and participate in restoration tests.

• Disaster Recovery Team: Coordinates backup restoration activities during a declared disaster.

• Compliance and Audit: Conduct reviews and ensure documentation and evidence is sufficient for regulatory audits.

7. Compliance and Exceptions

Compliance is measured via system logs, job status dashboards, monthly metrics, and annual testing results. Failures to meet backup SLAs are escalated within 24 hours and root cause analysis is documented.

Any deviation from backup requirements must be formally requested via the Backup Exception Form, approved by the Director of IT Operations. All approved exceptions must include alternate safeguards and a time-bound review.

8. Enforcement

Failure to follow this procedure may result in disciplinary action, including written warnings, temporary suspension of system access, or termination depending on the severity and intent. Contractors or third-party vendors who violate this procedure may face contract termination or penalties.

Regulatory breaches caused by backup failure due to negligence may also lead to legal consequences, liability for damages, and incident disclosure obligations. Enforcement will be governed by HR, Legal, and Information Security leadership.

9. Related Policies/Documents

• POL-ALL-010: Backup and Recovery Policy

• POL-ALL-017: Business Continuity Policy

• PRC-ALL-011: Backup and Recovery Testing Procedure

• ISO/IEC 27001:2022 Control A.8.13

• SOC 2 Trust Criteria: A1.1 (Availability), A1.2 (Recovery Procedures)

• Disaster Recovery Plan

• Change Management Policy (POL-ALL-009)

10. Review and Maintenance

This document shall be reviewed annually or upon significant changes in systems, infrastructure, or business continuity requirements. The review is owned by the Director of IT Operations and must be approved by the Information Security Governance Committee.

Version history and change records shall be maintained in the centralized document repository for audit purposes.