Think about Phil Connors in Groundhog Day. Every morning he wakes up in Punxsutawney, February 2nd, over and over again. At first it's a nightmare. Eventually, he realizes something: the loop is a gift. He can practice. He can rehearse. He can get it right, because tomorrow he gets another shot.
Now imagine Phil wakes up one morning and the loop just stops. Permanent. Real. And he never once used those repeated days to actually prepare for the world beyond Punxsutawney.
That's an untested backup. You assume it works. You rely on it. And then the moment you desperately need it, ransomware, hardware failure, accidental deletion, you find out it doesn't.
What Is CIS Safeguard 11.5?
CIS Safeguard 11.5 falls under CIS Control 11: Test Data Recovery. The safeguard is simple and direct: test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Not "make sure backups are running." Not "verify backup jobs completed." Actually restore data from backup and confirm the restoration works.
There's a meaningful difference between those things.
Why It Matters
Backups fail silently. A backup job can report success for months while writing corrupt data, backing up empty directories, or storing files that can't actually be read back. You won't know until you try to restore, and by then, you're already in the middle of an incident.
The stakes here are high. Organizations that survive ransomware events are the ones who had tested, working backups and a clear recovery process. Organizations that pay ransoms or lose data permanently? Many of them had backup solutions that simply hadn't been tested.
This safeguard is rated IG2 and IG3, meaning it's expected of any organization with moderate or elevated security maturity. But it's also one of the most commonly skipped steps in actual practice.
What You Should Be Doing
Testing backup recovery isn't a one-time event and it isn't just for IT to check a box. Here's how to actually implement it:
- Define your in-scope assets. Not everything needs to be tested every quarter, but you need a documented list of critical systems, file servers, databases, domain controllers, key SaaS data exports, and a rotation schedule that ensures everything gets tested over time.
- Run actual restores, not just integrity checks. Checksum verification and backup job logs are useful, but they don't prove you can restore. Pick a test environment and actually pull the data back. Verify it's readable. Verify the application can use it.
- Test the full recovery process, not just the data. Can you restore a server from scratch using your backup? How long does it take? Does your team know the steps? A recovery procedure that exists only in someone's head is not a recovery procedure.
- Document what you tested and what you found. Date, asset, backup source, restore target, result, time to restore. This documentation matters for audits, for after-action reviews, and for identifying patterns when something breaks.
- Track recovery time against your RTO. If your business requires a system back online within four hours and your test restore takes nine, you have a gap, and now is the time to know about it, not during an incident.
- Fix what you find. This sounds obvious, but it's the step that gets deferred. If a restore test reveals a problem, that's a finding that needs a remediation ticket, a timeline, and an owner. Not a footnote.
Final Thoughts
Phil Connors eventually got it right, but only because he used his repeated days to actually practice. He didn't just assume he knew how to play piano; he sat down and learned. He didn't assume he could save the kid falling from the tree; he went out and caught him.
Your quarterly restore test is the loop. Use it. Because when the ransomware hits or the drive fails, the loop stops, and that's when you find out whether all that practice meant anything.
Free Resource: The CIS Controls are available at no cost at cisecurity.org. If you're not sure where your organization stands, CIS also offers free self-assessment tools.
Interested in where your backup and recovery program actually stands? DM me, happy to talk through it.
CIS Control and Safeguard
CIS Control 11: Data Recovery
CIS Safeguard 11.5: Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Shameless Marketing Information
Gotham offers backup and disaster recovery assessment services; we'll help you find out whether your backups actually work before an incident forces the question.