ISO 27001 and Veeam B&R

[JasonPGTF]

Hi, my company is planning to get ISO 27001 certification. In this standard there's a mention on how IT backup, restore & retain the data, I have no problem coming out with the policies for these. However there's also a mention on data destruction policies, how do I describe this from Veeam B&R perspective? Since all my backups are to disk storage & not tape, I do not have any physical media I can destroy. For each restore point which past it's retention will it still be available on the disk after Veeam has purge it? Is there anyway to recover it?

[HannesK]

Hello,

For each restore point which past it's retention will it still be available on the disk after Veeam has purge it?

no - if data is deleted, it's gone

Is there anyway to recover it?

no - if data is deleted, it's gone

Does that help?

Best regards,
Hannes

[JasonPGTF]

Hi Hannes,

Yea common sense after deletion data will be gone

But if I put that down on the policy I'm gonna get some question from the auditors on how do I confirm that data wasn't recoverable or how veeam actually perform the deletion.

[HannesK]

Hello Jason,
it depends on the operating system / filesystem you are using. You can see the backup files in windows explorer or whatever you use. What we do is a "delete file". As long as it is not overwritten, you might be able to recover on NTFS. For some Linux filesystems, it's harder. Anyway, a repository usually has a lot of IO going on, so chances are high that deleted data is overwritten soon.

Just for curiosity: could you ask your auditor where the deletion question comes from? I discussed ISO 27000 certification questions some years ago with one of the "big four" and they did not mention it.

Best regards,
Hannes

[JasonPGTF]

It's actually in 2 of the annex for ISO 27001.My auditor didn't ask yet, our internal audit is somewhere in May, I was planning to mention "Once the backup past it's retention period the backup will be deleted from the storage & the space will be reuse for new backups". Then that thought come into my mind on how do I justify/describe how my backup software remove those old backups.

1. Section A.11.1.2 relates to IT equipment and states that, “all items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use”.

2. Section A.8.3.2: relates to disposal of media and states that, “Media shall be disposed of securely when no longer required, using formal procedures”.

[HannesK]

cool, thanks!

well, you could run a tool that overwrites empty disk space with random data. But I'm not sure whether this is a little bit overkill