Backup and recovery is your last line of defence against ransomware, hardware failure, accidental deletion, and disaster. Yet many organisations discover their backups are incomplete, untested, or unrestorable only when they need them. This template defines backup types, retention schedules, recovery procedures, and testing requirements.
On this page
Backup Types Explained
| Type | Description | Backup Speed | Recovery Speed | Storage Use | Best For |
|---|---|---|---|---|---|
| Full Backup | Complete copy of all selected data | Slowest | Fastest | Highest (100% each time) | Weekly full (weekends), baseline for incremental/differential |
| Incremental Backup | Only changes since last backup (any type) | Fastest | Slowest (need full + all incrementals) | Lowest | Daily backups — efficient storage use |
| Differential Backup | All changes since last FULL backup | Medium | Fast (need full + latest differential) | Medium | Balance between speed and storage |
| Snapshot | Point-in-time copy (usually block or VM level) | Near-instant | Near-instant | Deduplication-dependent | VMs, cloud resources, database PITR |
| Continuous (CDP) | Every change captured in real-time | Continuous | Near-zero RPO | High | Tier 1 databases, payment systems, zero-RPO requirements |
Full Backup
- Description
- Complete copy of all selected data
- Backup Speed
- Slowest
- Recovery Speed
- Fastest
- Storage Use
- Highest (100% each time)
- Best For
- Weekly full (weekends), baseline for incremental/differential
Incremental Backup
- Description
- Only changes since last backup (any type)
- Backup Speed
- Fastest
- Recovery Speed
- Slowest (need full + all incrementals)
- Storage Use
- Lowest
- Best For
- Daily backups — efficient storage use
Differential Backup
- Description
- All changes since last FULL backup
- Backup Speed
- Medium
- Recovery Speed
- Fast (need full + latest differential)
- Storage Use
- Medium
- Best For
- Balance between speed and storage
Snapshot
- Description
- Point-in-time copy (usually block or VM level)
- Backup Speed
- Near-instant
- Recovery Speed
- Near-instant
- Storage Use
- Deduplication-dependent
- Best For
- VMs, cloud resources, database PITR
Continuous (CDP)
- Description
- Every change captured in real-time
- Backup Speed
- Continuous
- Recovery Speed
- Near-zero RPO
- Storage Use
- High
- Best For
- Tier 1 databases, payment systems, zero-RPO requirements
Policy Template
DATA BACKUP AND RECOVERY POLICY Version: 1.0 | Review Date: [DATE] | Owner: [NAME/ROLE] 1. PURPOSE This policy defines requirements for backing up company data to ensure business continuity and the ability to recover data following system failure, ransomware, or accidental loss. 2. SCOPE This policy applies to all IT systems, servers, databases, cloud services, and endpoints containing company or customer data. 3. BACKUP REQUIREMENTS 3.1 Recovery Objectives Critical Systems (Tier 1): RPO = 1 hour | RTO = 4 hours Business Systems (Tier 2): RPO = 4 hours | RTO = 8 hours Support Systems (Tier 3): RPO = 24 hours | RTO = 24 hours 3.2 Backup Schedule Full backup: Weekly (Sunday 02:00) Incremental backup: Daily (Mon–Sat 02:00) Database PITR: Continuous (transaction log shipping every 15 minutes for Tier 1) 3.3 Retention Schedule Daily backups: Retained for 30 days Weekly backups: Retained for 3 months Monthly backups: Retained for 12 months Annual backups: Retained for 7 years (where legally required) 4. STORAGE AND SECURITY - All backups must be encrypted at rest (AES-256 minimum) - Backups must follow the 3-2-1 rule: 3 copies, 2 different media, 1 offsite - Backup destination must be logically isolated from production (separate account/network) - Immutable backups required for Tier 1 systems (protect against ransomware) 5. TESTING Backup tests must be performed: - Monthly: Restore a sample of critical files to verify integrity - Quarterly: Full application restore test to isolated environment - Annually: Full DR exercise — Tier 1 systems restored to RTO/RPO targets
Backup Retention Schedule
| Data Type | Backup Frequency | Retention Period | Storage Tier | Notes |
|---|---|---|---|---|
| Customer Personal Data (GDPR) | Daily + continuous DB | 7 years (tax) / delete on request | Encrypted, immutable | GDPR: retain only as long as necessary |
| Financial Records | Daily + monthly full | 7 years minimum | Cold/archive storage | UK legal requirement |
| Email & Communications | Continuous (Exchange/M365) | 7 years (recommended) | M365 retention policy | eDiscovery and litigation hold |
| Employee Records (HR) | Weekly | 6 years post-employment | Secure cold storage | UK employment law |
| Application Code / Source Control | Continuous (Git) | Permanent | Multiple remote repositories | GitHub + self-hosted mirror |
| Database (Production Tier 1) | Continuous + daily snapshot | 30 days hot, 1 year cold | AWS RDS automated backups | PITR enabled for 35 days |
| Server Configurations | Weekly + on-change | 6 months | Configuration management (Git-backed) | Ansible/Terraform state |
Customer Personal Data (GDPR)
- Backup Frequency
- Daily + continuous DB
- Retention Period
- 7 years (tax) / delete on request
- Storage Tier
- Encrypted, immutable
- Notes
- GDPR: retain only as long as necessary
Financial Records
- Backup Frequency
- Daily + monthly full
- Retention Period
- 7 years minimum
- Storage Tier
- Cold/archive storage
- Notes
- UK legal requirement
Email & Communications
- Backup Frequency
- Continuous (Exchange/M365)
- Retention Period
- 7 years (recommended)
- Storage Tier
- M365 retention policy
- Notes
- eDiscovery and litigation hold
Employee Records (HR)
- Backup Frequency
- Weekly
- Retention Period
- 6 years post-employment
- Storage Tier
- Secure cold storage
- Notes
- UK employment law
Application Code / Source Control
- Backup Frequency
- Continuous (Git)
- Retention Period
- Permanent
- Storage Tier
- Multiple remote repositories
- Notes
- GitHub + self-hosted mirror
Database (Production Tier 1)
- Backup Frequency
- Continuous + daily snapshot
- Retention Period
- 30 days hot, 1 year cold
- Storage Tier
- AWS RDS automated backups
- Notes
- PITR enabled for 35 days
Server Configurations
- Backup Frequency
- Weekly + on-change
- Retention Period
- 6 months
- Storage Tier
- Configuration management (Git-backed)
- Notes
- Ansible/Terraform state
Backup & Recovery Test Checklist
0/8 complete