The three questions
Auditors working the availability criteria ask, in some form: (1) Do you have a documented backup policy — schedule, retention, encryption, access? (2) Can you show it operating — logs/records covering the whole audit period, not a screenshot from last week? (3) How do you know restores work? The third is where teams reach for 'we restored one in staging once, in 2024'.
What good evidence looks like
A record per backup: when, what, how big, encrypted-with-what. A record per restore test: when, onto what, which checks ran (schema parity, row counts, integrity), pass/fail, duration. Gaps explained. Access to backup storage documented and least-privilege. Retention provably enforced, not aspirational.
Making it automatic
Manual evidence rots between audits. If every backup automatically produces a verification report and the records are append-only, audit prep is an export button. That's Firedrill's Team plan: per-backup check details plus a monthly compliance PDF summarizing policy, every backup, and every restore test.