← All guides

Backup evidence for SOC 2: what auditors actually ask

Mapping backup practice to SOC 2 availability criteria: the policy, the evidence, and the restore-test question that fails teams.

The three questions

Auditors working the availability criteria ask, in some form: (1) Do you have a documented backup policy — schedule, retention, encryption, access? (2) Can you show it operating — logs/records covering the whole audit period, not a screenshot from last week? (3) How do you know restores work? The third is where teams reach for 'we restored one in staging once, in 2024'.

What good evidence looks like

A record per backup: when, what, how big, encrypted-with-what. A record per restore test: when, onto what, which checks ran (schema parity, row counts, integrity), pass/fail, duration. Gaps explained. Access to backup storage documented and least-privilege. Retention provably enforced, not aspirational.

Making it automatic

Manual evidence rots between audits. If every backup automatically produces a verification report and the records are append-only, audit prep is an export button. That's Firedrill's Team plan: per-backup check details plus a monthly compliance PDF summarizing policy, every backup, and every restore test.

A backup you've never restored is a hope, not a backup.

Firedrill restore-tests every backup it takes — on real infrastructure, with the report to prove it.