When did you last test a full restore from backup (not just a file)?
Demonstrate that the organization conducts and documents periodic full restore tests from backup to validate operational readiness for disaster recovery and business continuity scenarios.
Description
What this control does
This control verifies that the organization regularly performs full-system or full-dataset restore tests from backup media, not merely file-level or partial recovery tests. Full restore testing validates backup integrity, restoration procedures, documented runbooks, and the ability to meet recovery time objectives (RTOs) under realistic conditions. Unlike selective file recovery, a full restore reveals infrastructure dependencies, sequence errors, incompatibility issues, and gaps in recovery documentation that only surface during comprehensive restoration scenarios.
Control objective
What auditing this proves
Demonstrate that the organization conducts and documents periodic full restore tests from backup to validate operational readiness for disaster recovery and business continuity scenarios.
Associated risks
Risks this control addresses
- Backup media corruption or encryption key loss rendering backups unrecoverable during an actual disaster event
- Incomplete backup configurations resulting in missing system state, databases, or application dependencies required for full operational recovery
- Recovery procedures that exceed defined RTOs or Recovery Point Objectives (RPOs) due to untested restoration workflows
- Ransomware attackers encrypting production systems while backup infrastructure remains compromised or inaccessible
- Backup restoration failures during critical incidents due to undocumented dependencies, version mismatches, or incompatible hardware configurations
- False confidence in backup systems that have never been validated through end-to-end restore testing, leading to unrecoverable data loss
- Failure to detect gradual backup degradation or incremental backup chain breaks that only manifest during full restore attempts
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's backup and disaster recovery policy to identify the documented frequency and scope requirements for full restore testing.
- Request restore test logs, reports, or change control tickets from the past 12 months that document full restore test activities.
- Interview the backup administrator or IT operations manager to understand the restore testing methodology, systems included, and validation criteria applied.
- Select a sample of critical systems or datasets (e.g., production database, domain controller, file server) and verify that each has undergone documented full restore testing within the policy-defined timeframe.
- Review test documentation for each sampled restore event to confirm that the restore was completed to a functional state, not merely extracted files without application validation.
- Verify that restore test results include success criteria verification such as application functionality checks, data integrity validation, and measured restoration time compared to RTO targets.
- Examine evidence that identified issues during restore testing (e.g., missing dependencies, procedure gaps) were documented, escalated, and remediated through corrective action.
- Confirm that restore tests are conducted in isolated environments to prevent production impact and that restored systems are properly decommissioned post-test to avoid security or operational conflicts.