Backups only earn their keep when restores succeed. This practical checklist helps UK SMEs validate that their backup and disaster recovery (DR) set‑up will work when needed—without over‑engineering it. We focus on simple, evidence‑based tests that prove you can recover critical data and systems within the time and data loss tolerances your business can accept (RTO/RPO). Guidance aligns to UK best practice on backups and ransomware resilience.
Who this is for
- Micro businesses (<10): one server/NAS or cloud‑first; minimal admin time; you need fast recovery for finance, CRM and email.
- Small (10–50): mixed on‑prem + SaaS; one or two hypervisors (e.g., VMware vSphere, Microsoft Hyper‑V); departmental shares; backup windows matter.
- Medium (50–250+): multiple VMs, SAN/NAS, tiered storage, offsite/cloud copies; formal continuity targets; staff rotation for testing.
(We keep vendor‑neutral, but illustrate with multiple stacks where helpful.)
The 10 sanity checks (high‑impact, low‑friction)
These are short, controlled exercises—each should produce a clear pass/fail with a screenshot or log as evidence.
- Restore a recent file version (not just open it)
Pick a critical document and restore the version from last business day to an isolated location; confirm timestamps and integrity. Aligns with “restore from earlier backups, even if later versions are corrupted”. - Recover a small database to point‑in‑time
For finance or CRM, rehearse a point‑in‑time restore (e.g., T‑15 minutes before a test change). Check collation, users, and application connectivity. - Boot a VM from backup (image‑level recovery)
Instant recovery or “restore‑then‑boot” to a quarantine VLAN. Confirm services start, IP/DNS is isolated, and logs show a clean boot. (Applies across vSphere, Hyper‑V, etc..) - Ransomware resilience: offline/immutable copy exists
Demonstrate at least one backup is offline or immutable at any given time (cold copy, object lock, WORM, or physically isolated media). Verify retention and delete‑protection policies. - Offsite copy test
Confirm the offsite/cloud copy is reachable with separate credentials and can be enumerated without mounting into production. Record bandwidth and estimated restore time. - RPO reality check
Measure real RPO by comparing last good backup timestamp to the current time for each critical data set. Does it match the business tolerance you state (e.g., ≤4 hours)? Tie back to continuity good practice. - RTO “stopwatch” drill
Time how long it takes to restore a representative workload (file share or small VM) and make it usable to end users. Document dependencies (DNS, licenses, tokens). - Credential separation & least‑privilege
Verify backup operators do not reuse production admin accounts; multi‑factor is enforced; recovery keys are accessible under dual‑control. (Prevents attackers deleting backups.). - Backups for SaaS
Confirm you have independent backups/exports for SaaS platforms (email, SharePoint/Drive, accounting). Native recycle bins are not backups. Align with UK data protection expectations. - Evidence pack & schedule
Maintain a lightweight “DR evidence” folder: screenshots, restore logs, durations, and next dates. Adopt an at‑least‑quarterly mini‑test cadence per NCSC small business advice.
What we deliver (engagement outline)
- A short sanity‑check session tailored to your size and mix (on‑prem/SaaS).
- A risk‑ranked findings summary with RPO/RTO gaps and quick wins (e.g., enable an immutable tier, fix a failing job, separate credentials).
- A 90‑day action plan to raise resilience without unnecessary spend.
(We keep tooling and brands neutral; where examples are needed, we show various options.)
Preparation checklist (optional)
- A read‑only account to your backup console and a list of protected workloads.
- The written business tolerance (max acceptable downtime/data loss) for 3–5 key services.
- Names of stakeholders (operations, finance, sales) to validate what “critical” means.
Why this approach
UK guidance emphasises regular backups, separation from live systems, and the ability to restore older, uncorrupted versions—even if recent copies are damaged. Testing is as important as taking the backup.