Owner: CTO, with CISO
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC7.5 (recovery from disruption) and A1.2 / A1.3 (backup and recovery testing); ISO/IEC 27001 A.5.30 (ICT readiness for continuity) and A.8.13 (information backup). Implements the Business Continuity & DR Policy.
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC7.5 (recovery from disruption) and A1.2 / A1.3 (backup and recovery testing); ISO/IEC 27001 A.5.30 (ICT readiness for continuity) and A.8.13 (information backup). Implements the Business Continuity & DR Policy.
Scope timing. CC7.5 is a Common Criteria (Security) control and these tests operate now. Consistent with the Business Continuity & DR Policy, the Availability (A1) operating-effectiveness evidence these tests also support is not attested in the initial Security-only window — it accrues into the first subsequent Type II window (Sep 2026 – Sep 2027) when the Availability criterion comes into scope.
Cadence
- Backup-restore test (per data store) — at least quarterly.
- Full DR exercise (tabletop or live) — at least annually; at least one live failover per two-year period.
- Triggered test — after any change that materially alters backup format, target store, encryption keys, or RTO/RPO; after any failed restore in production.
Scope
In-scope data stores and recovery paths are enumerated in the RTO/RPO Matrix. At a minimum the following are exercised on the quarterly cadence:| Class | Examples | Test type |
|---|---|---|
| Production databases | Aurora / Postgres customer-data instances | Restore latest snapshot to an isolated VPC; verify row counts and key checksums |
| Object storage | S3 customer-data buckets, audit-log Object-Lock buckets | Restore a representative prefix; verify checksums and lock state |
| Configuration & secrets | HashiCorp Vault, KMS key material backups | Restore to a staging Vault; verify auth methods and policy enumeration |
| Source of truth | GitHub neuroscale org repository archives | Verify the offline archive can be re-cloned and contains the most recent tag |
Trigger
The CTO opens a Linear issue at the start of each quarter:- Title:
DR & Backup-Restore Test — <Quarter> <Year> - Owner: SRE on-call lead for the quarter
- Linked artifacts: RTO/RPO Matrix, test plan, evidence pack, sign-off.
Process — quarterly backup-restore test
- Plan. SRE on-call lead drafts a test plan from the RTO/RPO Matrix. The plan names: data store(s), source snapshot ID, target environment (isolated VPC), success criteria (row counts, checksums, app-level smoke), and the RTO/RPO targets being verified.
- Approve. CISO and CTO approve the plan in the Linear issue before execution.
- Execute. SRE on-call lead performs the restore in the isolated environment. Production is never the target of a restore test. Wall-clock duration is recorded.
- Verify. Success criteria are evaluated. For database restores, row counts and the latest few primary keys are checked against the source snapshot’s manifest; for object storage, a representative prefix is checksummed; for Vault, auth-method and policy enumeration is diffed against the live tenant.
- Record. Test results — pass/fail, wall-clock vs RTO target, data-loss window vs RPO target, anomalies — are added to the Linear issue. Any failure or RTO/RPO miss is filed as an incident per the Incident Response Policy with severity assigned by the CISO.
- Tear down. The isolated environment is destroyed within 24 hours of test completion to avoid lingering data copies.
- Sign off. CTO and CISO sign off on the test outcome in the Linear issue.
Process — annual DR exercise
The annual exercise extends the quarterly test with:- A tabletop walkthrough of one root-compromise playbook and one customer-impacting outage scenario, with the engineering on-call, CTO, CISO, and (where customer comms is in scope) GC and customer-success lead.
- A live failover in alternating years — failing over a customer-data-bearing service to its DR target and serving production traffic from the DR target for at least one hour before failing back. The decision to run live (vs. tabletop-only) for any given year is made by the CTO and CISO at the start of the year and recorded in the Compliance Calendar.
Evidence
For every test, the following are retained in the SharePoint evidence library used for SOC 2 / ISO 27001 audits:- Approved test plan (with CTO + CISO sign-off).
- Execution log — start time, end time, commands run (or runbook checklist completed), screenshots of verification.
- Pass/fail determination with comparison to RTO/RPO targets.
- Linear issue link (which threads the audit trail).
- For annual exercises: tabletop attendance list and the run-book diff (any updates the exercise motivated).
Escalation
A failed restore — restore did not complete, data did not match source, or RTO/RPO targets were missed — is filed as a Severity 2 incident at minimum. The CISO may upgrade severity. Remediation is tracked through the Incident Response Policy post-incident-review process and reported at the next ISMS Management Review.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 15, 2026 | Initial version — implements Business Continuity & DR Policy, SOC 2 CC7.5 / A1.2 / A1.3, ISO 27001 A.5.30 / A.8.13 | Cameron Wolfe | Ishan Jadhwani |