| Document ID | ISMS-POL-003 |
| Version | 0.1 |
| Status | Draft |
| Classification | Internal |
| Owner | Information Security Officer |
| Approved by | Managing Director |
| Approval date | pending |
| Effective from | pending |
| Next review | pending — annually, or on material change |
| Annex A controls | A.5.24 (planning and preparation), A.5.25 (assessment and decision on events), A.5.26 (response), A.5.27 (learning), A.5.28 (collection of evidence), A.6.8 (reporting) |
This policy ensures that information security events affecting
BackupExperts or its customers are detected, classified, contained,
remediated, and learned from in a way that minimises harm to customers
and to BackupExperts, and meets contractual and regulatory reporting
obligations.
Applies to any event that may affect the confidentiality, integrity, or
availability of information assets in the ISMS Scope,
regardless of whether the event originates inside or outside
BackupExperts. This includes — but is not limited to — suspected
unauthorised access, ransomware, data loss, lost or stolen devices,
phishing, malicious insider activity, supplier compromise, and material
configuration errors.
| Term | Meaning |
|---|---|
| Event | An observed occurrence in a system or service that may indicate a breach of policy, control failure, or previously unknown situation that may be relevant to security. |
| Incident | An event (or series of related events) that has been confirmed to compromise — or to have a non-trivial likelihood of having compromised — the confidentiality, integrity, or availability of an information asset. |
| Major incident | An incident at severity 1 or 2 (see §6). |
| Personal data breach | An incident that constitutes a personal data breach as defined in GDPR Article 4(12). |
| Incident Manager | The role accountable for coordinating response to a specific incident. |
Every BackupExperts staff member, contractor, and supplier with
contractual access to BackupExperts systems is required to report any
suspected event without delay.
There is no penalty for reporting in good faith, even where the
report later turns out to be a false positive. Failure to report a
known event is, however, a disciplinary matter.
Every incident moves through the following phases. The phase and its
date are recorded in the incident register
(planned).
| Sev | Definition | Examples | Initial response time |
|---|---|---|---|
| 1 — Critical | Confirmed breach of customer data confidentiality or integrity; ransomware in customer environment; total loss of a service. | Backup data exfiltrated; customer environment encrypted by attacker; backup target deleted. | Immediate, 24/7 |
| 2 — High | Strong indication of breach pending confirmation; partial loss of a service; incident affecting multiple customers. | Compromise of a privileged BackupExperts account; persistent backup failure across multiple customers. | Within 1 hour, 24/7 |
| 3 — Medium | Single-customer or single-system event with no confirmed breach. | Single failed restore that may indicate corruption; phishing reaching staff inbox without engagement. | Within 4 business hours |
| 4 — Low | Policy or control deviation with negligible immediate impact. | A test restore overran its window; a missing acknowledgement record. | Next business day |
Severity may be revised as facts emerge; the original and revised
severities are both recorded.
The Operator and the Incident Manager preserve evidence in a form
admissible to subsequent investigation:
Evidence handling follows Annex A.5.28 and any applicable customer
contract terms.
| Role | Responsibility |
|---|---|
| Reporter | Report the event without delay; preserve evidence; do not act unilaterally beyond immediate self-protection. |
| Information Security Officer | Triage events; assign severity; appoint Incident Manager; own end-to-end ISMS lifecycle of the incident. |
| Incident Manager | Run the response: contain, eradicate, recover, communicate. Owns the incident-register entry until close. |
| Operator(s) | Execute technical actions under the Incident Manager's direction. |
| Communications Lead | Drafts and sends customer and regulator notifications. May be the Information Security Officer. |
| Managing Director | Notified for Sev 1/2; approves regulator notifications and engagement of external IR specialists. |
For small incidents, several roles may be held by a single person.
Separation of Operator and Incident Manager is preserved wherever
practicable.
Incident response is exercised at minimum annually using a tabletop
scenario covering at least one of: customer ransomware, BackupExperts
account compromise, supplier compromise. Outcomes and remedial actions
are recorded as for live incidents.
/incidents/post-mortems/<date>-<slug>.Retention is at minimum three years, longer where law or contract
requires.