Does your organization conduct annual testing of backups and restores for all types of data sources?
Explanation
Regular testing of backup and restore procedures ensures that data can be recovered in the event of data loss, corruption, or a security incident such as ransomware. Testing should cover all data sources including databases, file systems, configuration files, and application data to verify the integrity and recoverability of backed-up information.
Evidence could include a backup testing schedule, documented test results showing successful restoration of different data types, a backup testing policy, or incident response runbooks that include backup restoration procedures with timestamps of the last test performed.
Implementation Example
Test backups and restores for all types of data sources at least annually
ID: PR.DS-11.235
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- Backups of data are created, protected, maintained, and tested
Related questions
- Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
- Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
- Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization physically secure all removable media containing unencrypted sensitive information?
- Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?

