Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-9-1 – Cybersecurity requirements for backup and recovery management must be defined, documented and approved.
Understanding the Requirement
This control from the Essential Cybersecurity Controls (ECC – 2 : 2024) requires an organization to establish a formal, written backup and recovery policy that is approved by executive management. The policy should define what gets backed up (scope), how quickly systems and data must be recovered after an incident (recovery objectives), how often recovery capability is tested, retention and time limits for backups, and the technologies used to perform and secure backups. The documented and approved policy provides the governance and authority needed to ensure backups are consistent, effective, and auditable.
Technical Implementation
- Inventory and classify critical assets: Create a list of systems, applications, and data by criticality (e.g., accounting systems, customer databases, email). For each asset record the owner, data sensitivity, and legal or regulatory retention needs. This defines the policy scope and coverage.
- Set RTO and RPO per asset: Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical asset in the policy. Document acceptable downtime and data loss limits and map them to backup frequency (e.g., transactional DBs—RPO 15 minutes, RTO 1 hour; file shares—RPO 24 hours, RTO 4 hours).
- Choose technologies and storage strategy: Specify approved backup technologies (on-prem snapshots, agent-based backups, cloud backup services), encryption standards (AES-256 at rest and TLS in transit), and offsite/air-gapped storage. Define criteria when to use incremental, differential or full backups and include immutable or write-once storage where available.
- Retention, lifecycle, and time limits: Define retention periods and archival rules in the policy (e.g., daily backups retained 30 days, monthly archives retained 7 years). Include retention exceptions and disposal processes for expired backups to control storage growth and compliance.
- Test recovery and validation: Mandate scheduled recovery tests (quarterly full restores, monthly partial restores) and include acceptance criteria. Document test results, time to restore, and remediation steps for failures. Require one simulated incident recovery per year with business stakeholders to validate processes end-to-end.
- Access control and executive approval: Define who can manage backups, perform restores, and access backup data. Require multi-factor authentication for backup admin accounts, role-based access, and require executive-level approval on the documented policy and any significant changes to backup strategy.
Example in a Small or Medium Business
An SMB accounting firm with 40 employees identifies its file server, accounting application database, and email as critical assets. The IT manager documents a backup and recovery policy that lists each system, assigns RTOs and RPOs (accounting DB: RTO 2 hours, RPO 1 hour; file server: RTO 8 hours, RPO 24 hours), and specifies technologies: local daily snapshots plus continuous cloud replication for the database and encrypted cloud backups for file shares. The policy sets retention rules—daily backups retained 30 days, monthly snapshots retained 24 months to meet tax record requirements—and requires immutable snapshots for monthly archives. Quarterly restore tests are scheduled and logged; the IT manager runs a restore drill and records the time-to-recover and any configuration fixes needed. The CEO formally reviews and signs the policy, and the firm enforces access controls with separate backup admin accounts protected by multi-factor authentication. After three months the firm updates the policy to include ransomware-specific recovery steps based on lessons learned during testing, and this change is again approved by executive management.
Summary
By documenting scope, recovery objectives, testing cadence, retention limits, approved technologies, and access controls—and securing formal executive approval—SMBs can turn backup activity into a governed, repeatable capability. The written policy sets expectations and authority, while the technical measures (asset inventory, RTO/RPO, encrypted offsite backups, immutable storage, and regular restore testing) ensure those expectations are achievable and auditable. Together they meet the control's requirement that backup and recovery management be defined, documented, and approved.
