Why backup and recovery matter
Backup is your last line of defence against ransomware, corruption, and human error—but only if backups are isolated, tested, and recoverable. Insurers and auditors increasingly ask for evidence of backup strategy, testing, and recovery capability. "We have backups" is not enough; "we have tested restores and can prove it" is what counts.
What to define
Scope — Critical systems and data; retention periods and any regulatory requirements (e.g. 7 years for certain records). Document what is in scope and why.
RTO and RPO — Recovery Time Objective (how quickly you need to recover) and Recovery Point Objective (how much data loss is acceptable) for key services. Without this, you cannot prioritise or evidence recovery.
Storage — Where backups are stored (offsite, immutable, or air-gapped where appropriate for ransomware resilience). If backups can be encrypted or deleted by the same account that runs production, they are at risk.
Access — Who can restore; how access is controlled and audited. Limit restore rights; log restore activity.
Testing: what to evidence
- Restore tests are run at least quarterly for critical data — Don't assume backups work; test them. Document what was restored, when, and the result.
- Results are documented and any failures remediated — If a restore fails, fix the cause and retest. Evidence: test record and remediation.
- Key staff know how to initiate a restore and who to escalate to — Document the process; run a tabletop or walkthrough so people know their role.
Common gaps
Backups not isolated from production (same network or account); no restore test in the last 12 months; no RTO/RPO defined; no one knows how to restore.
Review your backup and recovery strategy—we help organisations design and test backup and recovery so you can prove it works.