GASP: AICF

Search controls

Search by control ID, name or domain

BCM-005 Backup Restoration Testing

Tier 2+

Description

Backup restoration is tested at a defined frequency (at least annually) to verify that backups are complete, uncorrupted, and recoverable within RTO/RPO targets. Test results are documented. Failures in restoration tests trigger remediation before the next required test cycle.

Rationale

Untested backups frequently fail at the worst possible moment. Periodic restoration tests are the only reliable evidence that backup data is actually recoverable.

Framework Mappings (4)

CSA CCM v4.1
BCR-08Backuppartial
ISO/IEC 27001:2022
8.13Information backuppartial
NIST SP 800-53 Rev 5
CP-4Contingency Plan Testingfull
SOC 2
A1.3Recovery Plan Testingfull

Evidence (2)

recordmanual

Completed backup restoration test record documenting the test scenario, process, results, and confirmation that recovery was achieved within RTO/RPO targets.

Example: Backup restoration test report or runbook execution record showing the service tested, backup snapshot used, restoration steps taken, measured recovery time, and pass/fail determination against RTO/RPO

Test: Request the most recent backup restoration test report. Verify: (1) a restoration test was conducted within the last 12 months; (2) the test used a backup from the production backup set (not a synthetic); (3) measured recovery time and data loss are documented and compared to RTO/RPO; (4) the test was conducted by or witnessed by a named responsible party; (5) any test failures triggered a remediation action before the next test cycle.

reportmanual

Backup restoration test results report summarising test outcomes, recovery metrics, and any identified gaps with remediation actions.

Example: Backup restoration test results document or post-test report (dated, signed off by the responsible owner) showing results by service, recovery time achieved, data integrity validation outcome, and any remediation items raised

Test: Request the restoration test results report for the last two test cycles. Verify: (1) results are documented for each tested service; (2) recovery time and data integrity results are compared against defined RTO/RPO; (3) remediation items from the prior cycle were addressed before the next test; (4) the report was reviewed and signed off by a named responsible owner.

Questions (2)

boolean

Is backup restoration tested at least annually to verify that backups are complete, uncorrupted, and recoverable within RTO/RPO targets, with test results documented?

Restoration tests must use actual production backup data, not synthetic test backups. Test results should document measured recovery time and data integrity outcomes.

select

What was the outcome of the most recent backup restoration test?

Pass — recovery completed within RTO/RPO targets; results documented and signed offPass with observations — recovery succeeded but minor issues were identified and remediatedFail — recovery did not meet RTO/RPO targets; remediation completed before next test cycleFail — remediation still in progressNo restoration test has been conducted

A passing test with documented results is the expected outcome. Any failure should trigger remediation before the next test cycle. An untested backup set should be treated as unverified.