Backup and Restore Verification Checklist
A verification checklist confirming backups are complete, encrypted, off-site, and reliably restorable within RPO and RTO targets. Its core is performing and measuring a real restore, not just trusting the backup job. Use it on a schedule and before risky migrations.
When to Use This Checklist
Use this checklist to verify that backups are not just being taken but can actually be restored. Run it on a schedule, before a risky migration, and as part of disaster-recovery preparation. The only proof a backup works is a successful restore; an untested backup is a hope, not a control.
How to Use This Checklist
Start by confirming coverage and recovery targets: RPO defines how much data you can afford to lose, and RTO defines how long recovery may take. The central item is performing a real restore into a clean environment and measuring it against those targets. The security and resilience items ensure backups survive the events they are meant to protect against, including ransomware and site failure. Confirm on-call staff can actually execute the restore under pressure.
What Good Looks Like
Good backup verification ends with a proven restore: data recovered into a clean environment, integrity confirmed by checksums, and restore time measured against the RTO. Coverage spans every critical store, schedules align with the RPO, and backups are encrypted and held in a separate failure domain. An immutable or air-gapped copy protects against ransomware. The restore runbook is accessible and tested, so recovery is a known procedure rather than an improvisation during an outage.
Common Pitfalls
The defining failure is never testing a restore, then discovering at the worst moment that the backup is corrupt, incomplete, or unreadable. Teams set retention without aligning it to a real RPO. Backups stored in the same account or region as the source share its failure domain and ransomware exposure. Restore time is rarely measured, so RTO is theoretical. Finally, runbooks that only the original author understands leave on-call staff unable to recover.
Related Resources
Tie recovery targets to incident-management-best-practices and automate procedures with runbook-automation. Use immutable-infrastructure thinking for ransomware-resistant copies, verify restores with data-quality-management, and size recovery with capacity-planning.