Checklist

Backup checklist: only the restore counts.

A backup that has never been restored is a hope. This list turns your backup into a resilient concept — tickable point by point.

1. The copies: 3-2-1 (and one offline)

  • Three copies of your data exist (production + two backups)
  • Two different media or systems (not the same NAS twice)
  • One copy lives off-site (another location or EU cloud storage)
  • One copy is offline or immutable — where ransomware cannot reach
  • SaaS data is covered too: Microsoft 365 / email / CRM do not back themselves up

2. The restore: tested, scheduled, owned

  • A full restore has been rehearsed at least once — not just a single file
  • The restore test has a fixed date (e.g. quarterly) in the calendar
  • One person is responsible by name — “IT handles that” does not count
  • You know how long a restore takes and whether that is acceptable for the business
  • The test result is documented (what worked, what was missing, what takes too long)

3. The incident: prepared, not improvised

  • Backup systems are separated from the regular network (own credentials, no domain admin)
  • The order in which systems get restored is documented
  • The documentation stays readable even while your IT is encrypted (printout or external storage)
  • Insurance & reporting duties: you know who to inform in an incident

From the blog: why “we have a NAS” is not a concept — and what the tested restore changes.

Newsletter

Practical notes on self-hosting, digital sovereignty, and IT security for SMEs — about once a month, no spam, unsubscribe anytime.

More open points than expected?

Backups with tested restores are part of my managed operations — the first call is free.