Purpose

To ensure all critical company data is systematically backed up, securely stored, and recoverable in the event of data loss, corruption, or system failure. This SOP is central to business continuity and regulatory compliance.

Scope

This SOP applies to:

• Cloud platforms (e.g. Google Workspace, Microsoft 365)

• On-premise servers and databases

• Employee workstations/laptops

• SaaS tools containing critical business data (e.g. CRMs, finance apps)

It is executed by the IT team or managed service providers and is relevant to all departments relying on digital infrastructure.

Roles & Responsibilities

• IT Administrator / Backup Manager

• Configures, monitors, and tests backups; restores data upon request.

• System Owners / Department Heads

• Identify critical data assets and notify IT of changes to systems or workflows.

• Compliance Officer

• Reviews backup logs and retention practices for audit and regulatory alignment.

Process Steps

1. Data Inventory & Classification

IT maintains a live inventory of systems and data sources that require backup. Each is classified by criticality:

• Tier 1: Mission-critical (finance data, customer databases, source code)

• Tier 2: Important but not time-sensitive (archived documents, analytics)

• Tier 3: Low-priority or disposable (temp files, logs)

The inventory includes:

• System name

• Data location

• Backup frequency

• Retention period

• Recovery time objectives (RTO) and recovery point objectives (RPO)

2. Backup Schedule & Methods

Backup frequency is based on data tier:

• Tier 1: Nightly full backup + hourly incremental (where supported)

• Tier 2: Daily incremental, full weekly

• Tier 3: Weekly or on-demand

Backup types:

• File-level: For documents, spreadsheets, media

• Image-based/system-level: For entire machines or servers

• Database: Snapshot or dump files with automated rollbacks

Backups are stored in:

• Encrypted off-site cloud storage (primary)

• Local NAS/server for rapid recovery (secondary)

• Immutable storage (for ransomware protection where applicable)

3. Backup Validation & Monitoring

Daily backup jobs are monitored using automated alerts. IT checks for:

• Job completion status

• Data size trends (to detect anomalies)

• Failed job alerts or corrupt files

Weekly validation includes:

• Random file restores to test integrity

• Manual comparison of logs to job reports

• Confirmation that retention policies are enforced

All logs are stored securely and reviewed monthly.

4. Data Recovery Request Process

When data needs to be restored:

1. The user or manager submits a Data Recovery Request Form or IT ticket.

2. The IT team verifies identity and details: file(s), date needed, source system.

3. The recovery method is chosen:

• File-level restore

• System image rollback

• Database import

1. Recovery is initiated and completed within SLA:

• Tier 1: < 4 hours

• Tier 2: < 24 hours

• Tier 3: < 72 hours

Recovered data is verified by the requestor and logged in the recovery register.

5. Disaster Recovery Testing

Quarterly disaster recovery (DR) drills are conducted to simulate:

• Full system failure (e.g. database or VM restore)

• Accidental deletion of cloud folder

• Ransomware scenario with clean restore

Each drill includes:

• Timing of recovery

• Data accuracy verification

• Documentation of gaps or delays

Reports are shared with leadership and used to refine the DR strategy.