Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-9-3 – The cybersecurity requirements for backup and recovery management must include at least the following:
Understanding the Requirement
This control requires a concise, repeatable program for backup and recovery management that ensures critical data and systems can be restored within acceptable timeframes and without integrity loss. The three listed objectives (2-9-3-1, 2-9-3-2 and 2-9-3-3) collectively point to: (1) identifying what must be backed up and how often, (2) protecting backups from tampering, loss and unauthorized access, and (3) verifying and testing recovery to prove restorability. For an SMB this means documented backup schedules, secure storage and retention rules, access controls and periodic restore testing so recovery works when needed.
Technical Implementation
-
Inventory and classify backups: Create a prioritized list of systems and data (finance, customer records, active databases, email) and assign Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) for each. Start with a one-page matrix so technical staff and management agree on what is critical.
-
Automate and separate copies: Use automated backup tooling (server snapshots, database dumps, file-level backups) to run on schedules aligned to your RPOs. Keep at least three copies using the 3-2-1 rule: primary, local backup (on-site), and an off-site or cloud copy. For higher assurance, keep an immutable or air-gapped copy to protect against ransomware.
-
Encrypt and control access: Encrypt backup data both in transit and at rest, and limit access to backup systems with role-based access controls and multi-factor authentication for admin accounts. Store encryption keys separately from backup storage to reduce single points of failure.
-
Retention and secure deletion: Define retention periods that meet legal and business needs, and implement automated retention enforcement. Securely delete expired backups to reduce data exposure, while ensuring retention meets regulatory requirements.
-
Regular verification and recovery testing: Schedule and document restore tests at least quarterly for critical systems and annually for less-critical items. Tests must validate integrity (data checksums), application functionality after restore, and timing against RTO targets. Record test results and follow up on any issues.
-
Monitoring, logging and incident integration: Monitor backup jobs and alert on failures or anomalies. Centralize logs for backup activity and integrate backup status into incident response playbooks so restore actions are prioritized during an outage.
Example in a Small or Medium Business
Acme Accounting, a 25-person firm, identified client ledgers and tax files as critical assets and set an RPO of 4 hours and an RTO of 8 hours for those systems. They implemented nightly full backups and hourly incremental backups for the primary file server, using a cloud backup vendor plus a local NAS that keeps rolling snapshots for 30 days. Backups are encrypted with enterprise keys stored in the firm's hardware security module, and only two administrators have MFA-protected access to the backup system. Once a quarter the IT lead performs a documented restore test that restores a representative client file to a sandbox VM and validates file integrity and application behavior; results are tracked in a shared log and any discrepancies trigger process changes. They also retain backups for seven years for archived tax files to meet compliance and securely purge expired copies. During a ransomware incident, the documented restore procedures and immutable cloud copy allowed the firm to recover within their RTO with minimal client impact.
Summary
By combining a clear inventory and prioritization of critical data, automated and separated backup copies, encryption and strict access controls, enforced retention and deletion, and regular restore testing, an SMB can meet the backup and recovery management requirements of Control 2-9-3. These policy and technical measures ensure backups are reliable, protected from tampering, and demonstrably restorable within business-acceptable timeframes—minimizing downtime, data loss and compliance risk.
