Mako Logics
Call

Resources / Backup Restore Verification

Backup restore verification checklist.

“We have backups” is the most dangerous sentence in IT. This checklist is what we run with every managed client to prove the backups actually work — before ransomware tests them for you.

Cybersecurity & Compliance →

Published April 21, 2026. Run quarterly.

Untested backup is not backup. If you haven’t restored from it in the last 90 days, assume it doesn’t work.

Why this checklist exists

We’ve seen too many small businesses believe they were protected, then learn during a ransomware incident that the backup server was reachable by the same compromised admin account, the last three days of data was never captured, or the “off-site” copy had stopped syncing six months ago. This checklist keeps that from happening to you.

Document your RTO and RPO first

  • Recovery Time Objective (RTO): how long can this service be down before it hurts the business? (e.g., 4 hours for email, 24 hours for the tax software)
  • Recovery Point Objective (RPO): how much data loss is acceptable? (e.g., zero for client records, 24 hours for marketing site)
  • Every critical system has an RTO and RPO written down somewhere

Backup design verification

  • Backups are immutable or air-gapped (can't be deleted by an attacker with admin credentials)
  • At least one backup copy is off-site
  • Backup retention meets your compliance obligations (tax 7 years, HIPAA 6 years, SOC 2 per contract)
  • Backup credentials are separate from production admin credentials
  • Backup system is on a different MFA trust boundary than production

Quarterly restore tests

Test 1 — File restore

  • Pick a file from each major data location (file server, SharePoint, OneDrive, EHR document store)
  • Restore to a separate location
  • Verify the file opens, content matches expectations, and metadata is intact
  • Time the restore and compare to RTO

Test 2 — Mailbox restore

  • Pick a user mailbox
  • Restore a deleted item, a calendar entry, and a folder of recent email to a recovery location
  • Verify contents accessible and time to restore

Test 3 — Workstation / server image restore

  • Pick one workstation and one server (rotate through the inventory over the year)
  • Restore to a separate physical or virtual machine
  • Boot it, verify OS is healthy, verify applications launch
  • Time the full restore end-to-end

Annual full-environment simulation

  • Once per year, simulate a ransomware event in a lab or isolated environment
  • Restore a full system (server + workstation + email + cloud data) from backup-only
  • Time every phase
  • Document gaps and feed them into the IR plan

Documentation

  • Written record of every restore test with date, what was restored, time-to-restore, and pass/fail
  • Annual executive summary showing whether RTO / RPO were met
  • Documentation retained for at least 3 years (longer for SOC 2 / HIPAA / CMMC evidence)

Red flags

  • Last successful restore is more than 90 days ago
  • Backup reports show success but nobody has actually read them
  • Backup admin credentials are the same as production admin credentials
  • "Off-site" copy turns out to be on the same physical network
  • Microsoft 365 / Google Workspace backup is just the built-in retention (NOT backup)
Schedule a 15-Minute Discovery Call