SOC 2 Recovery Testing (A1.3)

Overview:
The entity tests recovery plan procedures supporting system recovery to meet its objectives.

Action Items:
1) Create a data archival and backup policy and related procedures and publish on the company intranet for employees to access and review.
2) Inspect the most recent data restore of backup files to determine that IT personnel performed restoration of backup files as a component of business operations
3) Inspect the data restore procedure document and the most recent DR restore to determine that a DR restoration exercise is performed and tested on at least an annual basis.

Related Documents:
1) Data archival and backup policy
2) Evidence of the most recent data restore performed

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Implements Business Continuity Plan Testing—Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results.
2) Tests Integrity and Completeness of Back-Up Data—The integrity and completeness of back-up information is tested on a periodic basis.