Standard Operating Procedures (SOP) give us step—by—step instructions as to how an activity is to be carried out. An example would be how to carry out the backing up of data. The SOP will state which data needs to be backed up daily, weekly, or monthly. Critical data would be backed up every two hours whereas archive data may be backed up monthly. The SOP would also state what the medium is to be used for the backup; it may be backed up to a NetApp or network share rather than to tape so that quicker recovery can be carried out.
Stage one in risk assessment is the classification of the asset; this then determines how it is accessed, stored, and handled.