CP-4 / CP-9 / A.12.3.1 / CIS-11.3 NIST SP 800-53 Rev 5

Restore tested at least quarterly

Demonstrate that the organization tests its ability to successfully restore data from backups at least once every three months, validates the integrity of restored data, and maintains documented evidence of restoration outcomes.

Description

What this control does

This control requires organizations to perform quarterly testing of their backup restoration processes across all critical systems and data classifications. Testing involves selecting representative backup sets, executing the restore procedure in a non-production environment, verifying data integrity and completeness, and documenting the results including time-to-restore metrics. Quarterly testing ensures that backup media remains viable, restoration procedures remain current as infrastructure evolves, and personnel maintain proficiency in recovery operations.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Backup media degradation or corruption rendering data unrecoverable during actual disaster recovery events
Undiscovered incompatibilities between backup formats and current restoration infrastructure resulting in failed recovery attempts
Personnel unfamiliarity with restoration procedures leading to extended downtime or data loss during crisis scenarios
Configuration drift between production systems and backup schemas causing incomplete or inconsistent data restoration
Insufficient restore capacity or bandwidth preventing recovery within acceptable recovery time objectives (RTO)
Ransomware or malware present in backup sets being reintroduced into production environments during restoration
Backup retention policies failing to preserve legally required data or business-critical information due to untested recovery scope

Testing procedure

How an auditor verifies this control

Obtain the organization's backup and disaster recovery policy, including documented restoration testing schedule and requirements
Request restore test execution logs, reports, or records for the past 12 months to verify quarterly testing frequency
Identify the inventory of systems and data classifications subject to backup requirements and verify coverage in quarterly test plans
Select a sample of at least three restore test reports from different quarters and review for completeness including date, systems tested, data validated, personnel involved, and outcome
Verify that each sampled restore test includes documented validation of data integrity through checksum verification, application-level testing, or user acceptance procedures
Confirm that restore tests measure and document time-to-restore metrics and compare these against defined recovery time objectives
Interview backup administrators or IT operations staff to confirm restoration procedures are current and personnel are trained on execution
Review any identified deficiencies or failures from restore tests and verify corrective actions were documented and implemented

Evidence required Auditor collects quarterly restore test reports including execution dates, systems tested, data sets restored, integrity validation results, and time-to-restore measurements for the past four quarters. Policy documentation specifying restore testing frequency and scope, including system inventories subject to backup requirements. Screenshots or log exports from backup management systems showing successful restoration operations, and any deficiency tracking records with associated remediation status.

Pass criteria Restore testing has been performed and documented at least once per quarter (minimum four tests in trailing 12 months) covering representative critical systems, with documented evidence of successful data restoration and integrity validation for each test period.

Where this control is tested

Audit programs including this control

Backup Recovery Quick Test

When did you last actually restore a backup? Audit your backup cadence, immutability, off-site copies and recovery time.