Backup

Backup is the process of creating security copies of data and systems that enable recovery after data loss, ransomware attacks or system failures. A well-functioning backup strategy is one of the most fundamental and critical security measures, and a prerequisite for operational resilience.

Back to Dictionary

Backup types

There are three primary backup types, each with distinct advantages and trade-offs:

Full backup: A complete copy of all data. Provides the simplest recovery but requires the most storage space and time.
Incremental backup: Copies only the data that has changed since the last backup (full or incremental). Fast and storage-efficient, but recovery requires the last full backup plus all subsequent incremental backups.
Differential backup: Copies all data that has changed since the last full backup. A middle ground — faster to restore than incremental, but uses more storage.

Most organisations use a combination: for example, a weekly full backup supplemented by daily incremental backups.

The 3-2-1 rule

The 3-2-1 rule is the most widely recognised best practice for backup strategy:

3 copies: Maintain at least three copies of your data (the original plus two backups).
2 different media: Store the copies on at least two different types of storage media (e.g. local disk and cloud).
1 offsite copy: Keep at least one copy in a physically separate location (e.g. a different data centre or cloud region).

Modern extension — 3-2-1-1-0: Some frameworks extend the rule to 3-2-1-1-0: add one immutable (air-gapped) copy and verify zero errors through regular restore testing.

Testing your backups

A backup that has never been tested is not a backup — it is an assumption. Regular restore tests are essential to verify that data can actually be recovered within the required time frame. This is closely linked to business continuity management and recovery time objectives (RTO).

Testing should cover both full restores and partial restores of individual files or systems, and should be documented as evidence for audits and compliance.

Backup and ransomware

Ransomware attacks specifically target backups to maximise pressure on the victim. Attackers often attempt to encrypt or delete backup copies before deploying the main payload. Effective countermeasures include immutable backups (which cannot be altered once written), air-gapped storage, and robust access control over backup systems.

A solid backup strategy is the single most effective defence against ransomware, as it removes the attacker’s leverage. This ties directly into your broader incident response plan.

Regulatory requirements

Backup is addressed across multiple regulatory frameworks:

GDPR: Article 32 requires appropriate technical measures to ensure the ongoing confidentiality, integrity and availability of processing systems, including the ability to restore access to personal data in a timely manner. Backup is a core component of technical and organisational measures.
ISO 27001: Control 8.13 (Information backup) requires that backup copies of information, software and system images are maintained and regularly tested in accordance with an agreed backup policy.
NIS2: Article 21 requires measures for business continuity, disaster recovery and crisis management, all of which depend on reliable backup. Backup is integral to the NIS2 security measures that essential and important entities must implement.

Frequently Asked Questions about Backup

What is the 3-2-1 backup rule?

The 3-2-1 rule states that you should maintain at least three copies of your data, stored on at least two different media types, with at least one copy kept offsite. It is the most widely recognised best practice for backup strategy.

How often should backups be tested?

Backups should be tested regularly — at minimum quarterly, but ideally monthly for critical systems. Testing should include both full and partial restores, and the results should be documented for compliance purposes.

What is the difference between incremental and differential backups?

An incremental backup copies only the data changed since the last backup of any type, whilst a differential backup copies all data changed since the last full backup. Differential backups are faster to restore but use more storage space.

How does backup protect against ransomware?

Backup removes the attacker’s leverage by enabling you to restore encrypted data without paying a ransom. For effective protection, backups must be immutable or air-gapped so that attackers cannot encrypt or delete them.

What do GDPR and NIS2 require regarding backup?

GDPR Article 32 requires the ability to restore access to personal data in a timely manner. NIS2 Article 21 requires measures for business continuity and disaster recovery, both of which depend on reliable, tested backup procedures.