top of page
Search

Backup Is Not Recovery Assurance | Why Recovery Evidence Matters

  • Daniel Smith
  • 9 hours ago
  • 7 min read

Most organisations have backups. Few can prove recovery.


Dark executive cyber resilience graphic showing a recovery assurance gauge, contrasting backup status with proven recovery confidence.
Most organisations can show backup activity. Recovery assurance shows whether the business can restore trusted data, identity, permissions and evidence when it matters.

Most organisations can answer the first question quickly.

Do we have backups?

The answer is usually yes.

There is a backup platform. Retention settings. Snapshots. Green ticks. Perhaps a report showing successful jobs.

But that is not the question that matters when something goes wrong.

The harder question is:

Can the organisation prove it can recover?

Not just recover a file.

Not just restore an email.

Not just bring back a record.

Can it recover the right data, from the right point in time, with the right permissions, identity state, metadata, relationships, workflows and evidence?

Most organisations discover the answer only after an incident, audit, cyber insurance renewal or executive review asks for evidence.

Not confidence.

Evidence.

That is where backup ends and recovery assurance begins.


What the gap looks like in practice

Consider an organisation that discovers unusual account activity over a weekend.

Backups are running.

Jobs are green.

A restore is initiated.

The mailbox comes back.

But the wider investigation reveals compromised accounts that had been active for six days before detection.

The restore point before the compromise is unclear.

Permissions across SharePoint have drifted.

The identity state in Entra ID - conditional access policies, MFA methods and privileged role assignments - is uncertain.

The question is no longer whether the data exists.

It is whether the recovered environment can be trusted.

That is not a backup failure.

That is a recovery assurance gap.


Two-column cyber resilience graphic comparing protected backups with recoverable business state, including restore points, permissions, identity validation and evidence.
A protected workload may have backups, retention and green job status. A recoverable workload has a known-good restore point, trusted identity, restored permissions and evidence captured.

Protected is not the same as recoverable

This is the starting point.

The first step is separating what is merely included in a backup, retention policy or native recovery feature from what can actually be restored, verified and explained when it matters.

A workload can be protected on paper and still fail the real recovery test.

·       The data may be there, but not in the form the business needs.

·       The restore may work technically, but not restore operational confidence.

·       The files may return, but the structure may not.

·       The user account may exist, but the access model may no longer be trusted.

·       The record may be recovered, but the evidence trail may be incomplete.

This is why recovery assurance is not a product checkbox.

It is a confidence question.

Can the organisation show what is recoverable, what is partially recoverable, what is unknown and what is exposed?


The real recovery problem is no longer just data

SaaS platforms changed the shape of recovery.

For many organisations, the three most critical platforms are Microsoft 365, Entra ID and Salesforce.

Each carries considerably more than data.

Microsoft 365

Exchange Online.

SharePoint.

OneDrive.

Teams.

Groups.

Permissions.

Collaboration history.

Records.

Workflow.

Entra ID

Users.

Groups.

Privileged roles.

Conditional access.

Enterprise applications.

Authentication methods.

Control-plane trust.

Salesforce

Objects.

Relationships.

Metadata.

Profiles.

Permissions.

Flows.

Automation.

Commercial truth.

Google Workspace, Jira, Confluence, Zendesk, GitHub, Azure DevOps, Power Platform and other SaaS platforms carry similar business context.

Context is what makes data usable.

The recovery question is no longer:

Can we get the data back?

It is:

Can we restore the business state the data depends on?

That is a much harder question.


Green ticks can create false confidence

Backup platforms are good at showing operational success.

Jobs completed.

Snapshots taken.

Policies applied.

Retention running.

Errors cleared.

That information matters.

But it can also create a dangerous illusion if nobody has tested what recovery actually looks like in practice.

Green backups do not answer questions such as:

·       Can we recover from a known-good point before the damage occurred?

·       Can we recover without depending on the same tenant, identity plane or administrative path that failed?

·       Can we restore permissions, structure, metadata and relationships?

·       Can we prove who restored what, when and why?

·       Can we show evidence to an auditor, insurer, board or customer?

·       Can we validate the recovered state before trusting it again?

That is the difference between operational backup status and recovery assurance.

One tells you backup activity happened.

The other tells you whether the organisation can recover with evidence.


Recovery assurance is about evidence

Recovery assurance is the ability to prove recovery can work.

That means being able to answer six questions.


The six recovery assurance questions


  1. What is protected?

    Which platforms, workloads, users, groups, objects, records, files, metadata, permissions and configurations are included?


  2. What is recoverable?

    Can the organisation restore the parts that matter to the business, not just isolated data?


  3. How independent is recovery?

    Does recovery depend on the same SaaS tenant, cloud boundary, identity system or administrative control path involved in the incident?


  4. What has been tested?

    Has recovery been validated against real scenarios, or only assumed from backup success?


  5. What evidence exists?

    Can the organisation show restore history, access control, recovery timing, source copy, operator action and recovered state?


  6. What is still unknown?

    Which areas are not tested, not documented or not clearly owned?


Unknown is not neutral.

Unknown is risk that has not yet been named.


Four-stage recovery confidence matrix showing confirmed, documented, assumed and unknown recovery states from proven recovery evidence through to exposed risk.
The goal of recovery assurance is to move recovery confidence from assumed or unknown to documented, tested and evidenced.

Cyber insurance and audit conversations are getting sharper

Cyber insurers, auditors and governance reviewers are increasingly asking recovery-specific questions.


Not simply:

Do you have backups?


But:

Independence

·       Are backup copies separated from the affected environment?

·       Are backups immutable, isolated or protected from deletion?

·       Is privileged access to recovery controlled and MFA enforced?

Testability

·       Has recovery been tested against real scenarios?

·       Can critical systems be restored within required timeframes?

·       Are SaaS and third-party dependencies understood?

Evidence

·       Can evidence be shown if a claim, audit or review occurs?

·       Are Microsoft 365, Entra ID and Salesforce included in the recovery evidence story?

·       Who owns recovery assurance, testing and improvement?


A backup policy alone will not answer those questions.

Recovery evidence will.


Recovery assurance closes the gap between confidence and proof

Many organisations are confident until they have to prove recovery.

That is the dangerous gap.


Executive infographic comparing recovery confidence statements with proof-based recovery assurance evidence.
Confidence says backups exist. Proof shows what can be restored, who can recover it, how it is governed, what has been tested and what evidence can be produced.

Confidence says:

·       We have backup.

·       Jobs are green.

·       Retention is set.

·       We have never had a problem.

·       We would figure it out.

·       Our provider handles it.

Proof says:

·       We know what is protected.

·       We know what can be restored.

·       We know who can recover it.

·       We know how recovery is governed.

·       We know what has been tested.

·       We know what evidence we can produce.

That is the purpose of a Recovery Assurance Review™.

Not to create another theoretical assessment.

Not to produce a 40-page report nobody reads.

Not to make recovery more complicated than it needs to be.

The purpose is to make the current recovery position visible.

What is confirmed.

What is partial.

What is unknown.

What is exposed.

Once that is clear, the next step becomes much easier.


What the Recovery Assurance Review™ looks for


Framework graphic showing the key areas assessed in a Recovery Assurance Review, including evidence, SaaS coverage, identity dependency, cloud boundary risk and governance.
The Recovery Assurance Review™ assesses recovery evidence, SaaS platform coverage, identity dependency, cloud boundary risk, critical workload exposure and governance ownership.

The Recovery Assurance Review™ is designed to make recovery risk visible across the areas that matter most.

It looks beyond backup status and asks where recovery can be proven.

Recovery evidence

Can the organisation show what was recovered, when, by whom and from which copy?

SaaS platform coverage

Are Microsoft 365, Entra ID, Salesforce and other critical workloads properly included?

Identity dependency

Could Entra ID, Okta or another identity platform become the recovery bottleneck?

Cloud boundary risk

Does backup and recovery depend on the same provider, tenant or control plane as production?

Critical dependency analysis

Which platforms could materially constrain recovery if they failed?

Cyber insurance evidence

Can the organisation support renewal, underwriting or claims conversations with recovery proof?

Governance and ownership

Who owns recovery assurance, testing, evidence and improvement?

It is not simply about whether data exists.

It is about whether recovery can be trusted.

Backup remains essential.

Without it, recovery options shrink quickly.

But backup is only one part of the story.

Backup proves data was copied.

Recovery proves data can be restored.

Recovery Assurance proves the organisation can trust what comes back.

That is the difference that matters when the incident, audit, insurer, customer or board asks the harder question:

Can you prove recovery?


Recovery Assurance FAQ

What is recovery assurance?

Recovery assurance is the ability to prove that business-critical data, identity, permissions and configurations can be recovered, trusted and evidenced following an incident, audit, cyber insurance review or executive request.

Is backup the same as recovery assurance?

No. Backup proves data was copied. Recovery assurance proves the organisation can recover the right data, from the right point in time, with the right permissions, identity state and evidence.

Why is recovery evidence important?

Recovery evidence helps an organisation show what was restored, when it was restored, who performed the recovery, which copy was used and whether the recovered state can be trusted.

Does Microsoft 365 provide recovery assurance?

Microsoft 365 provides native retention and recovery capabilities, but organisations still need to validate recovery requirements, identity dependencies, permissions, evidence and governance obligations.

What does a Recovery Assurance Review™ assess?

A Recovery Assurance Review™ assesses recovery evidence, SaaS platform coverage, identity dependency, cloud boundary risk, critical workload exposure, governance ownership and recovery confidence.


Start your Recovery Assurance Review™


Dark call-to-action graphic inviting users to complete the Recovery Assurance Review to identify SaaS recovery assurance gaps.
Complete the Recovery Assurance Review™ to identify recovery evidence gaps, identity dependency, cloud boundary risk and critical SaaS recovery exposures before an incident exposes them.

The Recovery Assurance Review™ provides a structured assessment of:

·       Recovery evidence

·       SaaS platform coverage

·       Identity dependency

·       Cloud boundary risk

·       Critical workload exposure

·       Recovery confidence

Complete the assessment and identify the recovery gaps before an incident finds them for you.


Comments

bottom of page