IG1 IG2 IG3

Perform Automated Backups

Control Group: 11. Data Recovery

Asset Type: Data

Security Function: Recover

Description

Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.

Implementation Checklist

1

Define recovery objectives (RTO/RPO)

2

Implement recovery capabilities and procedures

3

Test recovery procedures on a regular schedule

4

Document recovery procedures and contact information

5

Identify critical data and systems requiring backup

6

Configure automated backup schedules

7

Verify backup integrity and test restoration

8

Store backups securely with offsite/air-gapped copies

Tool Recommendations

Veeam Data Platform Gartner MQ Leader, Enterprise Backup & Recovery 2024

Enterprise backup, recovery, and data security platform for virtual, physical, cloud, and SaaS workloads

Veeam · Per-workload subscription

Commvault Cloud Gartner MQ Leader, Enterprise Backup & Recovery 2024

Enterprise data protection platform with backup, recovery, ransomware detection, and cyber deception

Commvault · Per-workload subscription

Rubrik Security Cloud Gartner MQ Leader, Enterprise Backup & Recovery 2024

Zero Trust data security platform with immutable backups, ransomware monitoring, and automated recovery

Rubrik · Per-workload subscription

Cohesity DataProtect Gartner MQ Leader, Enterprise Backup & Recovery 2024

Modern data management platform with backup, recovery, ransomware protection, and data governance capabilities

Cohesity · Per-workload subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Data Loss from System Failure Without Current Backups

Availability

Hardware failures, storage corruption, or accidental deletion destroy critical data, and without automated backups running on a defined schedule the organization cannot restore to a recent state, resulting in permanent data loss.

Ransomware Recovery Failure Due to Stale Backups

Availability

After a ransomware attack, the organization discovers that backups are weeks or months old because automated backup schedules were never configured, forcing a choice between paying the ransom or accepting significant data loss.

Business Continuity Failure from Manual Backup Neglect

Availability

Manual backup processes are skipped during busy periods, staff transitions, or organizational changes, creating gaps in backup coverage that are only discovered when data recovery is needed during an incident.

Vulnerabilities (When Safeguard Absent)

No Automated Backup Schedule for Enterprise Assets

Critical enterprise data is not backed up on an automated schedule, relying on manual processes that are inconsistently followed, resulting in unpredictable backup currency and unknown recovery point capability.

Incomplete Backup Scope Missing Critical Data Stores

Automated backups cover some systems but miss critical databases, file shares, SaaS application data, or cloud workloads, leaving significant portions of enterprise data without any backup protection.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Recovery plan documentation	Reviewed annually
Record	Recovery test results and lessons learned	Tested quarterly
Technical	Backup job status reports and success rates	Reviewed weekly
Record	Backup restoration test results	Tested quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Backup and Recovery Policy

Control 11

Related Safeguards in Control 11

11.1 Establish and Maintain a Data Recovery Process

11.3 Protect Recovery Data

11.4 Establish and Maintain an Isolated Instance of Recovery Data

11.5 Test Data Recovery