UCL Research Data Information Security Management System Backup and Restore Policy #
Document Name: RISM09-Backup_and_Restore_Policy
Classification: Public
Author: Tim Machin
version: 1.1
Last review: 11/04/2025
Last Reviewed by: Angharad Green
Approved by: OMG
Approved date: 12/03/2025
Review Period: 3 Years
1. Scope #
This policy defines the minimum requirements for the backup and restore of information systems and data within the scope of the Research Data ISMS. Copies of research data stored in Low or Medium Availability Environments do not require backup.
2. Conventions used in this Document #
| Term | Meaning |
|---|---|
| Shall | A Mandatory requirement of this policy |
| Should | A Recommended requirement of this policy |
| May | An Optional requirement |
3. Backup requirements #
- Backups shall be stored in a geographically separate location from the originating asset.
- Backup copies shall be stored in a secure, environmentally-protected and access-controlled location.
- All backup data containing sensitive or confidential information should be encrypted.
- Backup integrity shall be regularly verified to ensure that backups are complete, uncorrupted, and recoverable.
- Automated checks and periodic test restores should be conducted to validate backup processes.
- Daily and incremental backups shall be retained for at least 30 days.
- Weekly backups shall be retained for at least 90 days.
- After the retention period expires, backups shall be deleted within a further 90 days.
4. Restore Requirements #
- Research Data restoration requests shall only be approved by an Information Asset Owner or Information Asset Administrator.
- Information Systems restorations shall only be approved by the Environment Owner, Developer or Administrator.
- Research data shall only be restored to an environment of an equivalent (or higher) tier.
- Access control to restored data shall be maintained.
- Backups shall be tested every 90 days at a minimum.