Are backups taken, secured, and tested (at least one full restore in the last 12 months)?
Demonstrate that the organization maintains a functional backup and recovery capability, with backups occurring on schedule, stored securely, and validated through documented full restore testing within the preceding 12 months.
Description
What this control does
This control ensures that critical business systems and data are backed up on a defined schedule, that backup media and storage locations are protected against unauthorized access and environmental hazards, and that restore procedures are validated through at least one full restoration exercise annually. Backups must be encrypted in transit and at rest, stored in geographically separate locations where applicable, and tested to confirm recoverability within defined recovery time objectives (RTOs). This control directly supports business continuity and disaster recovery capabilities required under SOC 2 availability and confidentiality criteria.
Control objective
What auditing this proves
Demonstrate that the organization maintains a functional backup and recovery capability, with backups occurring on schedule, stored securely, and validated through documented full restore testing within the preceding 12 months.
Associated risks
Risks this control addresses
- Ransomware attack encrypts production systems and accessible backup repositories, rendering all data irrecoverable
- Hardware failure, natural disaster, or data center outage destroys primary systems without viable backup to restore from
- Backup processes silently fail for extended periods without detection, leaving no restorable data when needed
- Untested backups contain corrupted, incomplete, or misconfigured data that cannot be successfully restored during actual incidents
- Backup media stored alongside production systems are destroyed in the same physical incident
- Unencrypted or inadequately secured backups expose confidential customer data to unauthorized access or exfiltration
- Retention policies fail to maintain required historical data, causing compliance violations or inability to meet legal holds
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's backup policy documenting backup frequency, retention periods, storage locations, encryption requirements, and testing schedules.
- Request a current inventory of all systems and datasets subject to backup requirements, including databases, file servers, application servers, virtual machines, and SaaS configurations.
- Select a representative sample of critical systems from the inventory and obtain backup logs or job reports covering the most recent 90-day period.
- Verify through log review that scheduled backups completed successfully for sampled systems without errors, gaps, or extended failures.
- Examine backup storage configurations to confirm encryption at rest and in transit, access controls restricting backup administrator privileges, and physical or logical separation from production environments.
- Request documentation of the most recent full restore test conducted within the last 12 months, including test plan, systems restored, success criteria, duration, issues identified, and remediation.
- Interview the backup administrator or IT operations manager to confirm the restore test procedure, validate that restored data was verified for integrity and completeness, and review any lessons learned.
- Review monitoring and alerting configurations to confirm that backup job failures trigger timely notifications to responsible personnel.