Backup Types and Restore Readiness
Key Takeaways
- Full backups copy all selected data and are simplest to restore but use the most time and storage.
- Incremental backups copy changes since the last backup of any type, saving space but requiring a longer restore chain.
- Differential backups copy changes since the last full backup, balancing storage use with simpler restoration.
- Backup value depends on successful, tested restoration, not on a successful backup job completing.
- The 3-2-1 rule and immutable, offline copies defend backups against ransomware and site-level loss.
Why Backups Are Heavily Tested
Backups are among the most tested DR controls because they are easy to describe in scenarios and easy to misunderstand. A backup is a protected copy of data or configuration that can be restored after deletion, corruption, ransomware, hardware failure, a failed change, or site loss. The goal is not to create backup files. The goal is to restore usable business capability within the required RTO and RPO.
Common Backup Types
| Backup type | What it copies | Restore pattern | Tradeoff |
|---|---|---|---|
| Full | All selected data | Restore the full backup | Simple restore, most storage and time |
| Incremental | Changes since the last backup of any type | Full backup plus every incremental in order | Smallest storage, longest chain |
| Differential | Changes since the last full backup | Full backup plus the latest differential | More storage than incremental, simpler restore |
| Snapshot | Point-in-time state of a volume, VM, or database | Revert or mount the snapshot | Fast, but may depend on the source platform |
| Replication | Continuous copy to another system or site | Promote replica or fail over | Lowest RPO, but corruption replicates too |
Work the chains carefully, because the exam tests them. After a Sunday full backup: Monday's incremental copies only Monday's changes; Tuesday's incremental copies only Tuesday's changes since Monday. To restore to Tuesday you need Sunday full plus Monday incremental plus Tuesday incremental — three pieces, and any missing link breaks the chain. With differentials, Tuesday's differential copies everything changed since Sunday, so restoring to Tuesday needs only Sunday full plus Tuesday differential — two pieces.
Incrementals back up faster and smaller but restore slower; differentials grow larger each day but restore faster.
Restore Readiness and the 3-2-1 Rule
A successful backup job does not prove recovery. DR teams need restore testing: periodically restoring files, databases, virtual machines, and application configurations into a safe isolated environment and verifying integrity. Verification can include checksum comparison, application startup, login testing, transaction testing, report generation, and user acceptance for critical workflows.
A durable design follows the 3-2-1 rule: keep at least 3 copies of important data, on 2 different media types, with 1 copy stored offsite. Many organizations extend this to 3-2-1-1-0 — adding 1 offline/immutable copy and 0 verified restore errors.
Backups must also be protected, because ransomware deliberately targets backup repositories. Practical controls include access control, encryption, separate credentials, immutability (write-once copies), offline or logically isolated copies, monitoring, and retention matched to business and legal needs. Backup metadata and restore instructions must be reachable during an outage — not locked inside the unavailable environment.
Backing Up AI and Configuration Assets
Modern DR planning extends beyond ordinary database backups. If a business function depends on AI, the team must recover more than the application server.
| AI asset | Why it matters |
|---|---|
| Model weights or packaged versions | Needed to redeploy the same approved model |
| Training and fine-tuning datasets | Needed to reproduce or validate model behavior |
| Feature definitions and preprocessing code | Needed so inputs transform consistently |
| Prompts, system instructions, retrieval config | Needed for controlled application behavior |
| Vector indexes and embeddings | Needed for retrieval-augmented generation |
| Evaluation sets and approval records | Needed to confirm restored quality and risk posture |
| Runtime configuration and access policies | Needed to redeploy securely |
Scenario: a support chatbot uses a vetted model, a product-knowledge vector store, content filters, prompt templates, and evaluation reports. Restoring only the application server would not restore the business function. The DR plan must identify the model version, dataset source, vector index backup, prompt configuration, API keys, deployment pipeline, and validation tests.
Exam Reasoning Shortcuts
- Easiest/fastest to restore? Full backup — one piece, no chain.
- Least storage and fastest backup window? Incremental — only changes since the last backup.
- Balance of restore simplicity and storage? Differential — full plus latest differential.
- What proves recovery works? Restore testing and validation, never job completion alone.
- Defense against ransomware deleting backups? Immutable and offline/air-gapped copies.
Retention, Encryption, and Where Backups Live
Beyond the type of backup, the CC exam tests the operational details that make backups usable and safe. Retention defines how long copies are kept, and it must satisfy both business needs and legal or regulatory requirements — keeping data too briefly risks losing recoverable history, while keeping it too long raises privacy and storage exposure. Encryption protects backup confidentiality at rest and in transit, because a stolen backup tape or copied cloud bucket exposes the same data as a breach of production.
Where a backup lives drives how well it survives. An onsite copy restores fastest but shares the fate of the building. An offsite copy survives site-level events such as fire or flood. A cloud copy adds geographic distance and automation. An offline or air-gapped copy — physically or logically disconnected — is the strongest defense against ransomware that hunts for reachable backup repositories. Combining locations is exactly why the 3-2-1 rule exists.
| Storage location | Strength | Weakness |
|---|---|---|
| Onsite | Fast restore | Lost with the facility |
| Offsite | Survives site loss | Slower retrieval |
| Cloud | Distance, scale, automation | Depends on connectivity and access controls |
| Offline / air-gapped | Resists ransomware | Manual handling, slower restore |
A final reasoning rule the exam rewards: the RPO drives backup frequency. If the tolerable data loss is one hour, hourly snapshots or continuous replication are required; nightly full backups alone cannot meet a one-hour RPO. Match the schedule to the objective, not to convenience.
Which backup type copies only the changes since the last backup of any type, producing the smallest backup files but the longest restore chain?
To restore to Tuesday after a Sunday full backup, which set requires only TWO pieces of media?
A backup job reports success every night, yet the organization cannot recover after an outage. What practice was most likely missing?