1. Purpose of this Guide
This artefact proves that your company not only runs backups but also keeps proper records of them. Cyber Essentials requires this because “set and forget” backups are useless if they fail silently. Documenting backup dates, status, and test restores ensures data really can be recovered when disaster strikes.
2. What You Will Submit
You will need:
-
A Data Backup Records document or spreadsheet.
-
It should show:
-
Date and time of backup.
-
Systems or data covered (e.g. finance files, HR folders, databases).
-
Backup location (cloud, physical disk, NAS).
-
Status (successful, failed, partial).
-
Last restore test performed (date and outcome).
-
3. How to Collect / Obtain / Generate This Evidence
-
If you already keep records:
-
Export from your backup tool (e.g. Veeam, Acronis, AWS Backup, Microsoft 365).
-
Or extract logs and format them into a clear table.
-
-
If you don’t yet:
-
Create a simple spreadsheet using the Data Backup Records Template from StrongKeep.
-
Add columns for: Date, System/Data, Location, Status, Restore Test Date, Remarks.
-
Update the log each time backups run (automated tools often email reports you can copy here).
-
Perform and log at least one test restore to prove recoverability.
-
4. Evidence Format
-
Accepted file types: XLSX, CSV, PDF.
-
Suggested naming format:
YourCompanyName_DataBackupRecords_YYYY-MM-DD.xlsx
Example:AcmeCorp_DataBackupRecords_2025-07-01.xlsx
5. What “Good” Looks Like
-
Consistent entries — not just a single line from months ago.
-
Covers all critical systems and datasets.
-
Shows regular testing (at least annually restore validation).
-
Status clearly marked (Success / Failed) so issues are visible.
Why it matters: auditors want assurance that backups aren’t theoretical, but actively monitored and verified.
6. Tips
-
Automate record collection if possible — many tools export logs.
-
Keep at least 12 months of records for audit purposes.
-
If using third-party IT providers, make sure they supply logs you can incorporate.