Backup

Backup Readiness Checklist

The questions every business should be able to answer about their backups — and what it means if they can't.

Backup Readiness Checklist

Most businesses think they have a backup until they need to use it. The gap between “we have backups” and “we can actually recover from this” is where disasters happen.

Answer these questions honestly. If you can’t answer them, that’s the issue.

The core questions

What’s being backed up?

  • Your servers (application data, database files)?
  • Your workstations (local files not synced to OneDrive/SharePoint)?
  • Your Microsoft 365 email, Teams chats, and SharePoint?
  • Your network configuration files?

Microsoft 365 is not automatically backed up. Microsoft provides some retention, but it is not a backup. Deleted items past the retention window are gone.

Where are the backups going?

  • Local only (NAS, external drive)? If the building burns or ransomware encrypts everything on the network, local-only backups go with it.
  • Cloud only? Cloud backup is good for catastrophic local failure but slow to restore for large datasets.
  • Both? This is correct. Local for fast restore speed, cloud for disaster recovery.

How often are backups running?

  • Daily is the minimum for most businesses.
  • More frequently if you’re dealing with data that changes constantly (patient records, active databases, transaction logs).

How long are backups retained?

  • 30 days is common.
  • For HIPAA-covered practices, 6-year retention is required for certain records.
  • Ransomware can sit dormant for weeks before detonating. If your retention is 7 days, your clean backups may already be encrypted.

When was the last time you tested a restore?

  • This is the one most businesses can’t answer. A backup you haven’t tested is a backup you don’t have.
  • Test restores should happen at minimum annually, ideally quarterly.
  • A test restore means actually recovering a file or system from backup — not just checking that the job said “succeeded.”

Red flags

  • ❌ “The backup light is green so we’re good”
  • ❌ Backups running to an external drive plugged into the server (ransomware encrypts connected drives)
  • ❌ No monitoring — you only find out the backup failed when you need it
  • ❌ Email-only notification that goes to a shared inbox nobody checks
  • ❌ No offsite or cloud component
  • ❌ Never tested a restore

What good looks like

  • ✅ Automated daily backups to local + cloud (3-2-1 rule)
  • ✅ Monitored backup jobs with alerts on failure
  • ✅ Retention of at least 30 days (90+ preferred)
  • ✅ Microsoft 365 email and data backed up separately
  • ✅ Annual documented restore test with results logged
  • ✅ Recovery time objective (RTO) defined: “We can be back up in X hours”

For regulated industries

Dental/Medical (HIPAA): Backup and disaster recovery is a required addressable implementation specification under 45 CFR §164.308. You need a documented contingency plan, backup procedures, and a disaster recovery plan. “We have an external drive” is not sufficient documentation.

Municipal: Public records laws require certain records to be retained for defined periods. A backup failure that causes permanent data loss is not just an IT problem — it’s a legal and compliance problem.

Not sure if your backups would actually work? A free IT review includes a look at your backup configuration. Contact RockIT.

Have a specific question about your setup?

Guides cover the general case. A free 30-minute review covers yours.

Schedule a Free IT Review