Skip to main content

Backup & Disaster Recovery

Canonical runbook. Audience-neutral. Referenced by the Operational pages for MSPs and Internal IT Teams.

A backup you haven't tested is a hope, not a safeguard. The entire value of this layer is proven recoverability — the confidence that when something fails or an attacker encrypts your environment, you can get the business back to a known-good state within a time and to a data-loss point you decided in advance.

Define RTO and RPO first

Backup design starts with two business decisions, not technical ones:

  • RTO (Recovery Time Objective) — how long the business can tolerate being down before recovery completes.
  • RPO (Recovery Point Objective) — how much data, measured in time, the business can afford to lose (the gap between backups).

These numbers drive everything else — frequency, technology, and cost. A one-hour RPO and a four-hour RTO cost meaningfully more than nightly backups with a next-day restore. The job here is matching the design to the agreed objectives, not gold-plating by default.

The 3-2-1 rule (and immutability)

The durable baseline for backup architecture:

  • 3 copies of your data,
  • on 2 different media/types,
  • with 1 copy off-site.

Modern ransomware specifically hunts and encrypts backups, so extend 3-2-1 with at least one immutable or offline (air-gapped) copy that can't be altered or deleted even with compromised admin credentials. This is increasingly the difference between a recoverable incident and paying a ransom.

Don't forget Microsoft 365

A common and dangerous assumption: that Microsoft 365 data is backed up by Microsoft. It is replicated for service resilience, but Microsoft operates a shared responsibility model — protecting your data (against accidental deletion, malicious insiders, or ransomware reaching synced files) is your responsibility. Exchange Online, SharePoint, OneDrive, and Teams data should be covered by a dedicated backup solution with retention that meets your needs.

Test restores — the part that's actually the point

Recoverability is only real once it's been demonstrated. Build a routine of:

  • Regular test restores — actually recovering files, mailboxes, or systems, not just confirming a backup job reported success.
  • Periodic DR rehearsals — simulating a larger failure and recovering against your RTO/RPO, ideally to isolated infrastructure.
  • Evidence capture — recording what was tested, when, how long it took, and whether objectives were met. This is what you show a client, an auditor, or an insurer.

The failure you find in a test costs nothing. The one you find in a real incident can cost the business.

Mapping

This runbook implements Essential Eight: Regular backups, and underpins the business-continuity expectations described in the Business Owners Operational page. See the Essential Eight Baseline for the wider model.