Home Compliance & Certification Cloud Backup Service Guide

Cloud Backup Service Guide

Last updated on Sep 23, 2025

1. Purpose of this Guide

This artefact shows that your company is using cloud provider backup services to protect data. Cyber Essentials requires this because relying on the cloud alone is not enough — you must prove backups are configured, running, and monitored. This evidence demonstrates that data stored in SaaS, PaaS, or cloud systems is recoverable in case of failure, corruption, or cyberattack.

2. What You Will Submit

You will need:

  • screenshot from your cloud provider’s backup or version control feature.

  • Acceptable sources include:

    • Database snapshots (e.g. MongoDB Atlas, AWS RDS).

    • File storage version history (e.g. SharePoint, Google Drive, Dropbox).

    • Source code repository history (e.g. GitLab, GitHub).

  • Screenshot should clearly show:

    • Service name and environment (e.g. “MongoDB Atlas → Backups”).

    • Backup schedule or snapshot list (timestamps, frequency).

    • Retention policy (e.g. 7 days, 30 days).

3. How to Collect / Obtain / Generate This Evidence

SharePoint / OneDrive (File storage):

  1. Navigate to a critical document in SharePoint.

  2. Open Version history.

  3. Screenshot showing multiple saved versions with dates, sizes, and user IDs.

Google Workspace / Drive:

  1. Right-click on a business-critical file → choose Version history.

  2. Screenshot with dates and editors displayed.

GitLab / GitHub (Code repositories):

  1. Open your repository → Commits page.

  2. Screenshot the commit log showing date, author, and version history.

AWS Backup / RDS / S3:

  1. In AWS Console, go to AWS Backup.

  2. Open your Backup Plans or Vaults.

  3. Screenshot showing policy schedule and completed backup jobs.

MongoDB Atlas (Database backups):

  1. Log in to MongoDB Atlas Console.

  2. Select the cluster → open Backups tab.

  3. Screenshot showing snapshot schedule and retention (e.g. daily/hourly).

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_CloudBackupService_YYYY-MM-DD.png

5. What “Good” Looks Like

  • Screenshot shows real, configured backups — not just a blank page.

  • Includes timestamps and frequency/retention details.

  • Identifies the cloud service name (e.g. AWS, MongoDB, SharePoint).

  • Shows multiple entries/versions to prove continuity.

Why it matters: auditors want to confirm that cloud-stored data isn’t just “assumed safe,” but actively protected by provider tools with your oversight.

6. Tips

  • Always redact sensitive project or database names before uploading.

  • Pair multiple screenshots if needed (e.g. one from DB, one from SaaS).

  • Review provider SLAs — some cloud services don’t back up by default.