Overview
Backup Verification and Testing is the process of confirming that system backups are successfully created and can be restored as intended. It ensures backup controls supporting system availability and resilience operate effectively under SOC 2 CC7.2.
Step-by-Step Process
Confirm backup scope
The Engineering Lead reviews the list of in-scope systems, databases, and file stores that require backups under SOC 2. The output is a confirmed backup scope list aligned to production and critical systems.
Role: Engineering Lead
Review backup job status
The Engineering Lead checks that scheduled backup jobs ran successfully during the review period. The output is a record of completed, failed, or skipped backup jobs for the month.
Role: Engineering Lead
Select backups for testing
The Engineering Lead selects at least one backup per critical system for restore testing based on risk and system criticality. The output is a documented list of backups selected for testing.
Role: Engineering Lead
Perform restore test
The Engineering Lead restores the selected backup to a test or isolated environment without impacting production. The output is a completed restore attempt with timestamps and system identifiers.
Role: Engineering Lead
Validate restored data
The Engineering Lead verifies that restored systems or data are complete, accessible, and function as expected. The output is a validation result noting success or specific restore issues.
Role: Engineering Lead
Document results
The Engineering Lead records backup verification and restore test results in a monthly log or ticket. The output is a dated verification record ready for audit review.
Role: Engineering Lead
Remediate failures
If any backup or restore failures are identified, the Engineering Lead creates and tracks remediation actions to resolution. The output is documented corrective actions with evidence of completion.
Role: Engineering Lead
What You Need Before Starting
- Access to backup tools (AWS Backup console, Veeam console, or script environment)
- List of in-scope systems and data stores
- Monthly backup schedule and retention policy
- Test or non-production restore environment
Evidence Your Auditor Expects
- AWS Backup job history screenshot showing successful backups with timestamps for the month
- Restore test log or ticket dated within the review period showing system name and outcome
- Screenshot or export of Veeam restore session details with completion time
- Monthly backup verification log signed or acknowledged by the Engineering Lead
How This Looks In Your Tools
AWS Backup
Log in to the AWS Management Console and navigate to Services > AWS Backup > Backup jobs. Filter the view by date range to the current month and review job statuses for Completed or Failed.
To perform a restore test, go to AWS Backup > Protected resources, select the resource, choose a recovery point, and click Restore. Configure the restore to a test environment (for example, a non-production EC2 instance or database) and document the restore job ID and completion status from the Restore jobs screen.
Veeam
Open the Veeam Backup & Replication console and navigate to Home > Jobs > Backup. Review the Last Result and Last Run columns for each in-scope job during the month.
For restore testing, go to Home > Backups, right-click the relevant backup, and select Restore > appropriate restore type (e.g., Entire VM or File-level restore). Complete the wizard using a test location and capture the restore session report from History > Sessions.
Custom scripts
Access the server or backup host where scripts are executed and review scheduled jobs using cron (crontab -l) or task scheduler configurations. Verify successful execution by reviewing log files with timestamps for the review period.
To test restores, manually execute the restore script using a known backup file and direct output to a test directory or environment. Capture console output, log files, and file checksums or service status as evidence of successful restoration.
Common Audit Findings
- No evidence of restore testing
- Organizations often verify backups exist but do not test restoration. Prevent this by scheduling and documenting at least one restore test per month for critical systems.
- Backup failures not reviewed
- Failed or skipped backup jobs may go unnoticed if alerts are ignored. Prevent this by requiring monthly manual review and sign-off of backup job status.
- Incomplete backup scope
- New systems may not be added to backup configurations. Prevent this by reviewing backup scope during system onboarding and monthly verification.
- Evidence missing timestamps
- Screenshots or logs without visible dates cannot support audit conclusions. Prevent this by always capturing system timestamps or exporting dated reports.