Data Backup Verification Checklist

Pull the current asset list from the RMM or CMDB (NinjaOne, Datto RMM, IT Glue) and cross-check against the backup console (Veeam, Datto, Rubrik, AWS Backup). Flag any production VMs, endpoints, or M365/Google Workspace tenants that are not enrolled in a backup job.

Verify three copies of data, on two media types, with at least one offsite copy. For cloud-native workloads confirm cross-region replication (AWS Backup vault, Azure Backup GRS) plus an immutable copy.

Match each system's backup frequency to its documented RPO and the restore SLA to its RTO. Tier-1 systems (production DB, identity provider) typically need RPO ≤ 1 hour; tier-3 (developer workstations) may tolerate 24 hours.

Export the job report from Veeam One, Datto Status, or Rubrik Polaris. Investigate any job with a success rate below 98% — repeated VSS errors and stale agents are the usual culprits.

Create a P2 ticket in the PSA (ConnectWise, HaloPSA, Jira Service Management) for each failing job with the asset name, last successful run, error code, and assigned owner. Do not close until two consecutive successful runs are confirmed.

Confirm AES-256 at rest on the backup repository and TLS 1.2+ in transit. For cloud vaults, confirm KMS or customer-managed keys are in use, not vendor-default keys.

Verify object lock (S3 Object Lock, Azure Blob immutable storage) or hardened repository is enforced on at least one copy. Ransomware actors target backup consoles first — an admin-deletable copy is not a recovery copy.

Pick one file-level, one VM-level, and one SaaS object (M365 mailbox or SharePoint site) at random. Spot-restores catch silent corruption that job-success metrics miss.

Restore to a quarantine share, never overwriting production. Verify file hash matches the source where possible.

Boot the VM in an isolated network (Veeam SureBackup, Datto Screenshot Verification, Rubrik Live Mount). Confirm OS boots, services start, and application heartbeat responds.

Page the on-call engineering lead via PagerDuty or Opsgenie when a restore fails. A failed restore is a P1 finding — the system has no recovery path until it's fixed and re-tested.

If the primary repository is corrupt, initiate seed restore from the offsite/immutable copy. Document the chain-of-custody for any copy moved across regions or accounts.

Pull capacity metrics from the backup console. Project 90-day growth and order capacity now if free space drops below 20% — repository fill is the #1 cause of silent backup-job failure.

Expire backups past retention except those under legal hold. Confirm with GRC or legal that no active hold blocks disposal before purging.

Refresh the backup runbook in IT Glue, Hudu, or Confluence with any changes from this cycle — new asset coverage, schedule changes, repository targets, contact escalation paths.