Last modified: Version 3.6 October 2025
oboloo Limited is actively aligning with ISO/IEC 27001:2022 and has implemented this Backup Policy in accordance with Annex A control A.12.3.1 (Information Backup), as well as A.17.1.3 (Testing of backups), and A.9.4 / A.10.1 (Access control and encryption). This policy defines how critical systems and data are backed up, stored, retained, and recovered to support business continuity and information resilience.
This Backup Policy defines the standards and responsibilities for the secure backup, storage, and recovery of oboloo Limited’s data and systems. It ensures that business-critical information is protected against loss or damage and can be restored in the event of an incident such as system failure, data corruption, or cyberattack.
- Backup: A copy of data or system information created for recovery and continuity purposes.
- Disaster Recovery: The processes involved in restoring operations after a disruption.
- Critical Data: Any information essential to business operations, including customer data, application configurations, and financial records.
- Retention Period: The amount of time backup data is preserved before secure disposal.
Company Name: oboloo Limited
Company Number: 12420854
Trading Address: 7 Bell Yard, London, England, WC2A 2JR
Contact: oboloo.com/contact-us
oboloo may revise this policy periodically. All updates will be communicated to staff and service providers where applicable. The latest version will always be accessible on the company intranet or upon request.
This policy should be read alongside the following:
- Information Security Policy
- Access Control Policy
- Incident Response Plan
The purpose of this policy is to:
- Ensure the reliable backup of critical information assets.
- Maintain business continuity and operational resilience.
- Protect against accidental or malicious data loss.
- Support compliance with ISO/IEC 27001:2022 and applicable legal or contractual requirements.
This policy applies to:
- All production systems and applications containing customer or internal data.
- All databases, file servers, cloud storage services, and hosted environments under oboloo’s control.
- All employees, contractors, and third parties involved in backup processes.
Frequency
- Production Databases: Daily incremental backups and weekly full backups.
- Application Configurations & Logs: Backed up weekly or after significant changes.
- Documents and Shared Storage: Backed up nightly.
Storage
- Backups are encrypted in transit and at rest.
- Data is stored in secure, access-controlled, geographically separate locations.
- Redundant copies are maintained to support disaster recovery objectives.
Retention
- Backups are retained for a minimum of 30 days, with longer retention available for contractual or legal compliance.
- Retention schedules are reviewed annually and updated as necessary.
Disposal
- When no longer required, backup data is securely deleted or destroyed using approved erasure methods.
- Backup media (if used) is disposed of via certified destruction providers or hardware sanitisation procedures.
- Backup restore tests are conducted at least twice per year.
- Tests include random file restores, full system recovery simulations, and verification of data integrity.
- Results are documented and reviewed by the Head of Security and retained for audit.
- Backup Strategy (A.12.3.1) - Information backup and retention
- Testing & Validation (A.17.1.3) - Verifying recoverability of data
- Access & Security (A.9.4 / A.10.1) - Access control and encryption
- Review Cycle: Every 6 months or following major infrastructure changes.
- Change Management: All policy changes are logged and communicated to affected personnel.
- Training: Staff involved in backup processes receive appropriate training.
Version: 1.1
Date: April 2025
Description: Initial backup policy aligned to ISO/IEC 27001:2022