Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-9-2 – The cybersecurity requirements for backup and recovery management must be implemented.
Understanding the Requirement
This control requires an organization to implement formal backup and recovery management procedures that ensure critical data and systems can be reliably restored after a cybersecurity incident. In practice that means documenting scope, selecting appropriate technologies, defining recovery time and point objectives (including coverage for changing data within the last 24 hours), and regularly validating backup effectiveness. This guidance aligns with the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is intended to reduce downtime, data loss, and operational impact from incidents such as ransomware, hardware failure, or accidental deletion.
Technical Implementation
- Inventory and classification: Create and maintain a prioritized list of systems and data to back up (e.g., accounting databases, email, customer records, configuration files). Classify data by criticality so you can assign appropriate Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
- Define RTO/RPO and retention policy: For each critical asset set concrete RTOs and RPOs — for example, RPO of ≤24 hours for transactional systems and RTO of ≤4 hours for the most critical services. Specify retention periods (daily, weekly, quarterly) and include a policy for immutable or offline retention to defend against ransomware.
- Choose appropriate backup technologies: Use a combination of on-site snapshots for fast recovery and encrypted off-site or cloud backups for disaster resilience. Prefer solutions that support deduplication, automated scheduling, encryption at rest/in transit, and immutability (WORM) or air-gapped copies where feasible.
- Automate and monitor backups: Implement scheduled backups with automated verification and logging. Configure alerting for failed jobs and periodically review backup job success rates. Store logs centrally so the IT lead can detect missed backups quickly and act.
- Regular restore testing: Conduct periodic recovery tests (at least quarterly for critical systems) and tabletop exercises. A test should include full restores, application bring-up, and data integrity checks to ensure you can meet declared RTOs and RPOs.
- Access control and documentation: Restrict backup and restore privileges to a small, documented set of administrators and enforce multi-factor authentication for those accounts. Maintain a recovery runbook with step-by-step restoration procedures and contact lists so an SMB can execute a recovery under pressure.
Example in a Small or Medium Business
Acme Office Supplies (40 employees) designates its accounting system, sales database, and file server as high-priority assets. The IT manager defines RPOs: accounting system RPO = 1 hour, sales database RPO = 4 hours, file server RPO = 24 hours; RTOs are set at 2, 6, and 12 hours respectively. They deploy a hybrid backup solution: local daily snapshots for fast restores and nightly encrypted cloud backups with immutable snapshots retained for 90 days. Incremental backups run every hour for the accounting system and every four hours for the sales database to meet RPOs, while full backups occur weekly. The team automates monitoring and receives alerts for failed jobs; they run a restore test for each critical system every quarter and document the steps in a recovery playbook. Backup access is limited to two administrators, both using MFA, and monthly audits verify backup integrity and retention settings. When a ransomware event encrypts the file server, Acme follows the documented runbook to isolate infected hosts, restores the last clean cloud snapshot, validates data integrity, and resumes operations within the planned RTO with minimal data loss.
Summary
Implementing this control requires a mix of policy and technical measures: inventory and classification, defined RTO/RPO and retention rules, appropriate backup technologies (including immutability and off-site copies), automation and monitoring, restricted access, and regular restore testing. Together these elements ensure an SMB can rapidly detect backup failures, restore critical systems after an incident, and meet the objectives set by the Essential Cybersecurity Controls (ECC – 2 : 2024) for reliable backup and recovery management.
