FREE TOOLS / SOC 2

SOC 2 backup & restore-drill checklist

The backup questions on a SOC 2 audit aren't “do you have backups?” They're “are they off-site, encrypted, and have you tested that they restore — with evidence?” This checklist walks the controls auditors actually probe. Work through it, watch your score, then copy or print it as a working artifact for your audit prep. Nothing leaves your browser.

0/28 controls · 0%
Backup & Restore Control Checklist — SOC 2 readiness
· 2026-06-10 · 0/28 (0%)
Backup coverageAvailability A1.20/4
Off-site & redundancyAvailability A1.20/3
Encryption & integrityConfidentiality C1.1 / Security CC6.10/4
Restore testing — the part auditors actually probeAvailability A1.30/5
Retention & lifecycleAvailability A1.20/3
Monitoring & alertingSecurity CC7.20/3
Access controlSecurity CC6.1 / CC6.30/3
Documentation & evidenceSecurity CC1 / Availability A10/3

This is a readiness aid for the backup-and-recovery portion of SOC 2, not legal advice or a substitute for an audit. Trust Services Criteria references are provided as orientation; your auditor makes the final determination.

The control auditors fail people on

It's almost always restore testing (criterion A1.3). Teams keep backups religiously and never restore one until the day they have to — and discover the dump was truncated, the sequence values were lost, or the restore takes six hours when they'd promised one. The control isn't the backup; it's the tested, logged, time-measured restore.

FAQ

Which SOC 2 criteria cover backups and restores?
Backup and recovery fall mainly under the Availability criteria — A1.2 (recovery infrastructure and backups) and A1.3 (testing recovery procedures) — with supporting Common Criteria for security: encryption and access (CC6), and monitoring (CC7). The Confidentiality criteria (C1) apply to encryption of the backed-up data.
Why is restore testing the part auditors focus on?
Because having backups and being able to recover are different claims. A1.3 specifically asks whether you test your recovery procedures. An untested backup is an assumption; a logged, scheduled restore test with measured recovery time is a control with evidence.
What evidence does an auditor want for restore testing?
A record, across the audit period, showing restores were performed: when, what was restored, whether it succeeded, and how long it took (your RTO evidence). For SOC 2 Type II this must span the whole observation window, not a single point in time.
Is completing this checklist enough to pass SOC 2?
No — this is a readiness aid for the backup and recovery slice of SOC 2, not the audit itself or legal advice. SOC 2 covers far more, and an independent auditor makes the determination. Use this to find and close gaps before they do.

The restore-testing evidence, generated for you

The hardest row on this checklist — scheduled, validated, logged restore tests with measured recovery times — is exactly what OffsiteDB produces automatically. Every snapshot is restore-drilled on real Postgres, and a monthly Restore Drill Report gives you the dated evidence to hand your auditor. Start a free trial or see how it handles security.