Skip to main content

BCD-11: Data Backups

BCD 10 — Critical Protect

Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

Control Question: Does the organization create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?

General (52)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) A1.2 A1.2-POF7 A1.2-POF8 CC7.5
CIS CSC 8.1 11.2
CIS CSC 8.1 IG1 11.2
CIS CSC 8.1 IG2 11.2
CIS CSC 8.1 IG3 11.2
COBIT 2019 APO14.10 DSS04.07
CSA CCM 4 BCR-08
GovRAMP Core CP-09
GovRAMP Low CP-09
GovRAMP Low+ CP-09
GovRAMP Moderate CP-09
GovRAMP High CP-09
IEC 62443-4-2 2019 CR 7.3 (11.5.1)
IMO Maritime Cyber Risk Management 3.5.1 3.5.3.7
ISO 27002 2022 8.13
ISO 27017 2015 12.3.1
MITRE ATT&CK 10 T1003, T1003.003, T1005, T1025, T1070, T1070.001, T1070.002, T1119, T1485, T1486, T1490, T1491, T1491.001, T1491.002, T1561, T1561.001, T1561.002, T1565, T1565.001, T1565.003
NIST Privacy Framework 1.0 PR.PO-P3
NIST 800-53 R4 CP-9 SC-28(2)
NIST 800-53 R4 (low) CP-9
NIST 800-53 R4 (moderate) CP-9
NIST 800-53 R4 (high) CP-9
NIST 800-53 R5 (source) CP-9 SC-28(2)
NIST 800-53B R5 (low) (source) CP-9
NIST 800-53B R5 (moderate) (source) CP-9
NIST 800-53B R5 (high) (source) CP-9
NIST 800-53 R5 (NOC) (source) SC-28(2)
NIST 800-82 R3 LOW OT Overlay CP-9
NIST 800-82 R3 MODERATE OT Overlay CP-9
NIST 800-82 R3 HIGH OT Overlay CP-9
NIST 800-171 R2 (source) 3.8.9
NIST 800-171A (source) 3.8.9
NIST 800-171 R3 (source) 03.08.09.a
NIST CSF 2.0 (source) PR.DS-11
PCI DSS 4.0.1 (source) 9.4.1.1 9.4.1.2 12.10.1
PCI DSS 4.0.1 SAQ A (source) 9.4.1.1 12.10.1
PCI DSS 4.0.1 SAQ A-EP (source) 9.4.1.1 12.10.1
PCI DSS 4.0.1 SAQ B (source) 9.4.1.1 12.10.1
PCI DSS 4.0.1 SAQ B-IP (source) 9.4.1.1 12.10.1
PCI DSS 4.0.1 SAQ C (source) 9.4.1.1 12.10.1
PCI DSS 4.0.1 SAQ C-VT (source) 9.4.1.1 12.10.1
PCI DSS 4.0.1 SAQ D Merchant (source) 9.4.1.1 9.4.1.2 12.10.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 9.4.1.1 9.4.1.2 12.10.1
PCI DSS 4.0.1 SAQ P2PE (source) 9.4.1.1 12.10.1
Shared Assessments SIG 2025 K.1
SPARTA CM0056
TISAX ISA 6 5.2.9
SCF CORE Fundamentals BCD-11
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) BCD-11
SCF CORE ESP Level 1 Foundational BCD-11
SCF CORE ESP Level 2 Critical Infrastructure BCD-11
SCF CORE ESP Level 3 Advanced Threats BCD-11
US (29)
Framework Mapping Values
US C2M2 2.1 RESPONSE-4.B.MIL1 RESPONSE-4.J.MIL2
US CERT RMM 1.2 KIM:SG6.SP1
US CISA CPG 2022 2.R
US CMMC 2.0 Level 2 (source) MP.L2-3.8.9
US CMMC 2.0 Level 3 (source) MP.L2-3.8.9
US CMS MARS-E 2.0 CP-9
US DHS CISA TIC 3.0 3.UNI.BRECO
US FedRAMP R4 CP-9
US FedRAMP R4 (low) CP-9
US FedRAMP R4 (moderate) CP-9
US FedRAMP R4 (high) CP-9
US FedRAMP R4 (LI-SaaS) CP-9
US FedRAMP R5 (source) CP-9
US FedRAMP R5 (low) (source) CP-9
US FedRAMP R5 (moderate) (source) CP-9
US FedRAMP R5 (high) (source) CP-9
US FedRAMP R5 (LI-SaaS) (source) CP-9
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(7)(ii)(A) 164.310(d)(2)(iv)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(7)(ii)(A) 164.310(d)(2)(iv)
US HIPAA HICP Medium Practice 4.M.D
US HIPAA HICP Large Practice 4.M.D
US IRS 1075 2.B.5 CP-9
US NERC CIP 2024 (source) CIP-009-6 1.3 CIP-009-6 1.4
US NISPOM 2020 8-603 8-612
US NSTC NSPM-33 6.10
US - NY DFS 23 NYCRR500 2023 Amd 2 500.16(a)(2)(v) 500.16(e)
US - TX DIR Control Standards 2.0 CP-9
US - TX TX-RAMP Level 1 CP-9
US - TX TX-RAMP Level 2 CP-9
EMEA (17)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.5(57)
EMEA EU DORA 12.1 12.1(a) 12.1(b) 12.2
EMEA EU NIS2 21.2(c)
EMEA EU NIS2 Annex 4.1.2(g) 4.2.1 4.2.2(b) 4.2.2(c) 4.2.2(f)
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 8.7
EMEA Germany C5 2020 OPS-06
EMEA Israel CDMO 1.0 25.9
EMEA Saudi Arabia CSCC-1 2019 2-8-1-2 2-8-1-3
EMEA Saudi Arabia IoT CGIoT-1 2024 2-8-1 2-8-2
EMEA Saudi Arabia ECC-1 2018 2-9-3
EMEA Saudi Arabia OTCC-1 2022 2-8 2-8-1 2-8-1-1 2-8-1-2 2-8-1-3 2-8-1-4 2-8-2
EMEA Saudi Arabia SACS-002 TPC-64
EMEA Spain BOE-A-2022-7191 26
EMEA Spain 311/2022 26
EMEA Spain CCN-STIC 825 8.7.7 [MP.INFO.7]
EMEA UK CAF 4.0 B5.c
EMEA UK DEFSTAN 05-138 2504 2505
APAC (9)
Framework Mapping Values
APAC Australia Essential 8 ML1-P8 ML2-P8 ML3-P8
APAC Australia ISM June 2024 ISM-0859 ISM-0991 ISM-1511 ISM-1547 ISM-1548 ISM-1810 ISM-1811
APAC China Cybersecurity Law 34(3)
APAC India SEBI CSCRF PR.IP.S7 PR.IP.S8 RC.RP.S4
APAC Japan ISMAP 12.3.1
APAC New Zealand HISF 2022 HHSP17 HHSP56 HHSP56 HHSP69 HML17 HML56 HML68 HMS11 HSUP15 HSUP15 HSUP48 HSUP60
APAC New Zealand HISF Suppliers 2023 HSUP15 HSUP15 HSUP48 HSUP60
APAC New Zealand NZISM 3.6 6.4.6.C.01
APAC Singapore MAS TRM 2021 8.4.1 8.4.2
Americas (3)
Framework Mapping Values
Americas Bermuda BMACCC 6.14
Americas Canada OSFI B-13 2.9.1
Americas Canada ITSP-10-171 03.08.09.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to create recurring backups of data, software and/ or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

Level 1 — Performed Informally

Business Continuity & Disaster Recovery (BCD) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel work with business stakeholders to identify business-critical systems and services, including internal teams and third-party service providers.
  • IT personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical systems and services.
  • Business stakeholders develop limited Business Continuity Plans (BCPs) to ensure business-critical functions are sustainable both during and after an incident within Recovery Time Objectives (RTOs).
  • Backups are performed ad-hoc and focus on business-critical systems.
  • Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).
  • IT personnel use a backup methodology (e.g., grandfather, father & s on rotation) to create backups to support business needs (e.g., Recovery Time Objectives).
  • Backups of sensitive/regulated data are cryptographically protected to prevent the unauthorized disclosure and modification of backup information.
Level 2 — Planned & Tracked

Business Continuity & Disaster Recovery (BCD) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Business Continuity / Disaster Recovery (BC/DR) management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for BC/DR management.
  • BC/DR roles are formally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Recovery Time Objectives (RTOs) identify business-critical systems and services, which are given priority of service in alternate processing and storage sites.
  • IT personnel develop Disaster Recovery Plans (DRP) to recover business-critical systems and services.
  • Data/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify assets critical to the business in need of protection, as well as single points of failure.
  • IT/cybersecurity personnel work with business stakeholders to develop Business Continuity Plans (BCPs) to ensure business functions are sustainable both during and after an incident within Recovery Time Objectives (RTOs).
  • IT personnel use a backup methodology (e.g., grandfather, father & s on rotation) to store backups in a secondary location, separate from the primary storage site.
  • IT personnel configure business-critical systems to transfer backup data to the alternate storage site at a rate that is capable of meeting Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
  • Technologies exist to conduct full, incremental or differential backups (e.g., tape/disk, hybrid cloud or direct-to-cloud).
  • IT personnel use technology to re-image, or configure, assets from configuration-controlled and integrity-protected images or scripts (infrastructure as code).
  • Backups for sensitive/regulated data are cryptographically protected (encrypted and integrity checked) to prevent the unauthorized disclosure and modification of backup information.
Level 3 — Well Defined

Business Continuity & Disaster Recovery (BCD) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A formal Business Continuity & Disaster Recovery (BC/DR) program exists with defined roles and responsibilities to restore functionality in the event of a catastrophe, emergency, or significant disruptive incident that is handled in accordance with a Continuity of Operations Plan (COOP).
  • BC/DR personnel work with business stakeholders to identify business-critical systems, services, internal teams and third-party service providers.
  • Specific criteria are defined to initiate BC/DR activities that facilitate business continuity operations capable of meeting applicable RTOs and/or RPOs.- Application/system/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify assets critical to the business in need of protection, as well as single points of failure.
  • Recovery Time Objectives (RTOs) are defined for business-critical systems and services.
  • Recovery Point Objectives (RPOs) are defined and technologies exist to conduct transaction-level recovery, in accordance with RPOs.
  • Controls are assigned to sensitive/regulated assets to comply with specific BC/DR requirements to facilitate recovery operations in accordance with RTOs and RPOs.
  • IT personnel work with business stakeholders to develop Disaster Recovery Plans (DRP) to recover business-critical systems and services within RPOs.
  • Business stakeholders work with IT personnel to develop Business Continuity Plans (BCPs) to ensure business functions are sustainable both during and after an incident within RTOs.
  • The data backup function is formally assigned with defined roles and responsibilities.
  • BC/DR personnel have pre-established methods to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.
  • The integrity of backups and other restoration assets are verified prior to using them for restoration.
Level 4 — Quantitatively Controlled

Business Continuity & Disaster Recovery (BCD) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to create recurring backups of data, software and/ or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

Assessment Objectives

  1. BCD-11_A01 the confidentiality of backup sensitive / regulated data is protected at storage locations.
  2. BCD-11_A02 system components for which to conduct backups of user-level information are defined.
  3. BCD-11_A03 the frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined.
  4. BCD-11_A04 the frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined.
  5. BCD-11_A05 the frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined.
  6. BCD-11_A06 backups of user-level information contained in system components are conducted frequently.
  7. BCD-11_A07 backups of system-level information contained in the system are conducted frequently.
  8. BCD-11_A08 backups of system documentation, including security- and privacy-related documentation are conducted frequently.
  9. BCD-11_A09 the confidentiality of backup information is protected.
  10. BCD-11_A10 the integrity of backup information is protected.
  11. BCD-11_A11 the availability of backup information is protected.

Evidence Requirements

E-BCM-10 Backups

Documented evidence of a Continuity of Operations Plan (COOP)-related data backup scheme that demonstrates the methods of data backup (including protection measures) for all data types to ensure business continuity requirements.

Business Continuity
E-BCM-11 Backups - Local

Documented evidence of event logs for the on-site / local data backup solution.

Business Continuity
E-BCM-12 Backups - Remote

Documented evidence of event logs for the off-site / remote data backup solution.

Business Continuity
E-BCM-13 Backups - Recovery

Documented evidence of a Continuity of Operations Plan (COOP)-related criticality analysis for applications, systems, services, facilities, stakeholders and third-parties.

Business Continuity

Technology Recommendations

Micro/Small

  • Disaster Recovery Plan (DRP)
  • On-site data backup solution
  • Off-site data backup service

Small

  • Disaster Recovery Plan (DRP)
  • On-site data backup solution
  • Off-site data backup service

Medium

  • Disaster Recovery Plan (DRP)
  • On-site data backup solution
  • Off-site data backup service

Large

  • Disaster Recovery Plan (DRP)
  • On-site data backup solution
  • Off-site data backup service

Enterprise

  • Disaster Recovery Plan (DRP)
  • On-site data backup solution
  • Off-site data backup service

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free