IT KORR Knowledge Center
Backup Strategy Worksheet
A worksheet for planning backup strategy by data criticality tier, applying the 3-2-1 rule, and setting retention periods.
Data Inventory by Criticality Tier
Not all data warrants the same backup investment. Grouping data into tiers by criticality lets you apply stronger (and more expensive) protection where it matters most, rather than treating everything the same way.
- Tier 1 (Critical) — data required for core business operations to continue (e.g., transactional databases, financial records).
- Tier 2 (Important) — data that supports operations but is not immediately business-halting if delayed (e.g., internal documents, historical reporting).
- Tier 3 (Low Priority) — data with minimal operational impact if temporarily unavailable (e.g., archived, non-essential files).
- Assign every major data store or system to a tier explicitly — undefined data defaults to the lowest protection level by omission.
RPO/RTO Requirement per Tier
- Tier 1 — typically requires the shortest RPO (minutes to a few hours) and shortest RTO given business impact.
- Tier 2 — typically tolerates an RPO of several hours to one day and a moderate RTO.
- Tier 3 — typically tolerates an RPO of one day or more and a longer RTO.
- Document the specific RPO/RTO target for each tier and validate it against actual business impact, not assumption.
Backup Frequency & Method per Tier
- Tier 1 — frequent incremental or continuous backups, with periodic full backups; consider database transaction log backups for near-zero RPO.
- Tier 2 — daily incremental backups with a weekly full backup.
- Tier 3 — weekly full backups, or differential backups on a longer cycle.
- Full backup — a complete copy of all data; slowest to run, fastest to restore from.
- Incremental backup — captures only changes since the last backup of any type; fastest to run, slower/more complex to restore.
- Differential backup — captures changes since the last full backup; a middle ground between speed and restore simplicity.
The 3-2-1 Rule
- 3 copies — maintain at least three copies of critical data: the production copy plus two backups.
- 2 media types — store copies across at least two different media or storage types (e.g., disk and cloud object storage) to avoid a single point of failure.
- 1 offsite/immutable — keep at least one copy offsite or in immutable/air-gapped storage, protected from ransomware that targets connected backups.
- Apply the rule per tier — Tier 1 should follow it strictly; lower tiers may justify a reduced version based on documented risk acceptance.
Retention Period per Data Type
- Set retention based on operational need first (how far back would you realistically need to restore from).
- Layer in compliance-driven retention requirements where applicable (e.g., financial records, regulated data categories).
- Document retention period explicitly per data type — do not rely on default vendor settings without review.
- Periodically purge backups beyond the defined retention period to control cost and reduce unnecessary data exposure.
Related Resources
- Backup Strategy Guide — /knowledge-center/business-continuity/business-continuity-disaster-recovery/backup-strategy-guide
- RPO vs. RTO Explained — /knowledge-center/business-continuity/business-continuity-disaster-recovery/rpo-vs-rto-explained