---
name: backup-strategy-designer
description: Design an SMB-appropriate backup strategy aligned to the 3-2-1-1-0 rule — with RPO/RTO per service class, restore-test schedule, immutable and offline copies, ransomware considerations, and a named owner per workload.
version: 1.0.0
author: VantagePoint Networks
author_url: https://www.vpnetworks.co.uk
audience: IT Managers, Infrastructure Leads, CTOs, MSPs building backup services, DPOs validating retention
output_format: Formatted Markdown plan with service inventory, classification, backup topology, restore-test schedule, ransomware resilience section, cost estimate, and a 90-day implementation roadmap.
license: MIT
last-reviewed: 2026-04
---

# Backup Strategy Designer

A Claude Code skill for the IT manager whose backup arrangement is "we think there's a job running" — producing a real strategy with RPO/RTO per service, tested restores, immutable copies, and ransomware resilience.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. In Claude Code, run `/backup-strategy-designer`. Describe the environment. Answer the clarifying questions. Receive the plan.

## When to use this

- Cyber insurance renewal is asking hard questions about backup posture.
- You've had a close call (accidental deletion, near-ransomware) and want to fix the gaps now.
- You're migrating from on-prem to cloud and the backup model needs to follow.
- Your last restore test was >12 months ago (or never).
- A regulator (FCA op-resilience, ISO 27001, SOC 2) has flagged backup as a control.

## What you'll get

A single Markdown document containing:

- **Service inventory** with criticality classification (Tier 0/1/2/3)
- **RPO / RTO targets** per tier
- **Backup topology** aligned to 3-2-1-1-0 (3 copies, 2 media, 1 offsite, 1 immutable/offline, 0 errors)
- **Per-service backup plan** (frequency, retention, location, method)
- **Restore-test schedule** with measurable success criteria
- **Ransomware resilience** (immutable / air-gapped copies, credential isolation)
- **Retention schedule** aligned to legal and regulatory requirements
- **Cost estimate** (capex + opex)
- **Named owner** per service
- **90-day implementation roadmap** and ongoing hygiene

## Clarifying questions I will ask you

1. **Organisation size and sector?**
2. **Workloads in scope?** (M365, Google Workspace, file servers, databases, SaaS-hosted apps, endpoints)
3. **Current backup tools?** (Veeam, Synology, Backblaze, cloud-native, nothing, mixed)
4. **Primary cloud provider(s)?**
5. **Current RPO/RTO awareness?** (yes / informal / none)
6. **Any critical systems WITHOUT any backup today?** (common — SaaS, M365 with no 3rd-party)
7. **Known compliance drivers?** (FCA, ISO, SOC 2, Cyber Essentials, client contract)
8. **Recent incident or near-miss?**
9. **Budget range?** (<£5k/yr, £5-25k, £25k+)
10. **Ransomware concerns?** (high — regulated / medium / low — small)
11. **Last successful full restore test?**
12. **Who owns backup today?**

## Output template

```markdown
# Backup Strategy — <organisation>

**Owner:** <role> · **Effective:** <date> · **Review:** annually
**Framework:** 3-2-1-1-0 (3 copies, 2 media, 1 offsite, 1 immutable/offline, 0 errors)

## 1. Service Inventory & Classification
| System | Criticality (Tier) | Data type | Size (GB) | Owner |
|---|---|---|---|---|
| M365 mailboxes | T1 | Business-critical comms | | |
| M365 SharePoint / OneDrive | T1 | Client files, matter files | | |
| Matter-management DB | T0 | Matter data | | |
| Finance / Accounting system | T1 | Ledger, billing | | |
| CRM | T2 | Contacts, pipeline | | |
| Endpoints (laptops) | T2 | Work-in-progress, user data | | |
| File servers | T1-T2 | Shared documents | | |
| Websites / web apps | T2 | Public content, SEO | | |
| DNS / identity config | T0 | Foundational | | |
| SaaS (varies) | T2-T3 | Depends on service | | |

**Tier definitions:**
- **T0:** Existential — loss means firm cannot operate (identity, matter data, key DB). **RPO ≤ 1h, RTO ≤ 4h.**
- **T1:** Critical — loss causes major disruption / regulatory risk (core email, client files). **RPO ≤ 4h, RTO ≤ 8h.**
- **T2:** Important — loss causes significant inconvenience (CRM, secondary systems). **RPO ≤ 24h, RTO ≤ 24h.**
- **T3:** Useful — loss causes minor inconvenience (non-core SaaS, historical archives). **RPO ≤ 7d, RTO ≤ 3d.**

## 2. Backup Topology (3-2-1-1-0)
For every T0 and T1 system:
- **3 copies:** production + primary backup + secondary backup
- **2 media types:** cloud object storage + offsite disk / tape / alt-region
- **1 offsite:** at least one copy in a different geographic location
- **1 immutable / offline:** one copy that cannot be altered or deleted by any operational credential for the retention period (object-lock, WORM, or air-gapped)
- **0 errors:** restore tests pass; backup jobs complete successfully

## 3. Per-Service Backup Plan

### M365 (mailboxes, SharePoint, OneDrive, Teams)
- **Tool:** <Veeam M365 / Spanning / Barracuda / Metallic / other third-party> (Microsoft's native retention is NOT a backup).
- **Frequency:** hourly incremental for mail; every 4h for SharePoint/OneDrive.
- **Retention:** 7 years (legal/matter), 6 years (HMRC-relevant), 30 days for general if not in scope.
- **Location:** UK / EU-region object storage.
- **Immutable copy:** 12 months rolling, object-locked.
- **RPO:** 1h · **RTO:** 4h.
- **Owner:** IT Manager.

### Matter-management database (T0)
- **Tool:** native DB backup + agent.
- **Frequency:** transaction-log every 15 min; full daily; differential every 6h.
- **Retention:** 7 years in backups; archive per matter-retention schedule.
- **Location:** two regions.
- **Immutable:** weekly full locked for 90 days minimum.
- **RPO:** 15 min · **RTO:** 2h.
- **Owner:** IT Manager + DB supplier.

### Finance / Accounting
- **Tool:** vendor-native + nightly export to backup tool.
- **Frequency:** daily + real-time for Xero/Sage via API export.
- **Retention:** 7 years (HMRC).
- **Location:** cloud object storage.
- **Immutable:** month-end export locked for 7 years.

### File servers / shared drives
- **Tool:** <Veeam / native>.
- **Frequency:** daily full, hourly incrementals.
- **Retention:** 90 days operational + annual archive for 7 years.
- **Immutable:** monthly locked.

### Endpoints (laptops)
- **Approach:** OneDrive / Google Drive sync for user data + endpoint image backup for laptops with irreplaceable local work.
- **Frequency:** continuous (sync) + weekly image.
- **Retention:** 30 days (sync) + rolling 4 weekly images.

### SaaS (generic)
- **Inventory each SaaS:** does it offer export / backup? Who's the owner? What's the exit plan?
- **For CRM / support / marketing SaaS:** monthly export job, stored in backup target.
- **For critical SaaS (payments, HR, payroll):** tool with SaaS backup support (Rewind / SpinBackup / native vendor export).

### DNS, identity, and foundational config
- **Tool:** export to config repo (Git) + backup of repo.
- **Frequency:** on change + weekly.
- **Retention:** 3 years.

## 4. Restore-Test Schedule
| Test | Cadence | Scope | Success criteria |
|---|---|---|---|
| Single-file restore (random) | Monthly | Any tier | File recovered in < 15 min |
| Full-mailbox restore | Quarterly | M365 mail | Mailbox restored to alternate location, mail readable |
| Database point-in-time restore | Quarterly | T0 DB | Restored to clean env, integrity check passes |
| File server volume restore | Semi-annual | File server | Volume restored, permissions intact |
| Full DR scenario (primary site loss) | Annual | T0 and T1 | All T0/T1 services recoverable within stated RTO |

Every test logged: date, scope, duration, success, issues found, remediation.

**Minimum: if you haven't tested a restore in the last 12 months, your backup is a hypothesis.**

## 5. Ransomware Resilience
- **Immutable storage** for at least one backup copy of T0/T1 data (AWS S3 Object Lock, Azure Immutable Blob, on-prem equivalents).
- **Air-gapped copy** for T0 data — weekly, offline, retained for at least 30 days.
- **Credential isolation:** backup-system credentials are NOT the same as production admin credentials; MFA required; breakglass only.
- **Network isolation:** backup infrastructure not reachable from general production network.
- **Delete-protection:** backup jobs cannot be silently deleted; alerts on deletion attempts.
- **Anomaly detection:** alerts on unusual backup file-change rates (indicator of encryption attack).
- **Test ransomware recovery annually** as part of the DR test.

## 6. Retention Schedule (summary)
| Data class | Minimum retention | Regulatory reference |
|---|---|---|
| Employment records | 6 years post-employment | LP&A + HMRC |
| Client matter files (legal) | 6-15 years, matter-dependent | Professional bodies |
| Financial records | 6 years | HMRC; longer for SRA/FCA |
| Personal data (operational) | Per DPIA + privacy notice | UK GDPR minimisation |
| System logs | 12 months | ICO, sector |

## 7. Cost Estimate
| Element | Est. annual cost |
|---|---|
| M365 third-party backup (<N> seats) | £<N> |
| Matter-management backup | £<N> |
| File server backup (<N> TB) | £<N> |
| Cloud object storage + immutable | £<N> |
| Restore-test effort (internal) | <N> days/year |
| Total estimated annual backup cost | £<N> |

## 8. Named Owners
| Domain | Owner | Backup |
|---|---|---|
| M365 backup | IT Manager | MSP |
| Matter DB | IT Manager + DB supplier | — |
| File server | IT Manager | MSP |
| Endpoint sync | IT Manager | — |
| SaaS exports | Each service owner | IT Manager |
| Restore tests | IT Manager | Nominated engineer |

## 9. 90-Day Implementation Roadmap
| Weeks | Activity |
|---|---|
| 1-2 | Inventory & classify every system; identify gaps (often: M365, SaaS, DNS) |
| 3-4 | Procure / configure third-party M365 backup (biggest typical gap) |
| 5-6 | Deploy immutable storage tier; migrate at least one T0 backup to it |
| 7-8 | First full restore-test cycle (single-file + mailbox); document findings |
| 9-10 | Database point-in-time restore test |
| 11 | Document retention schedule; align with DPO |
| 12 | Full-DR tabletop scenario test; produce exec summary |
| 13+ | Steady state: monthly restore tests, quarterly drill, annual full DR |

## 10. Ongoing Hygiene
- Weekly: backup job success dashboard reviewed; failures investigated within 24h.
- Monthly: random-file-restore test; immutable-copy integrity check.
- Quarterly: point-in-time DB restore; one T1-tier full restore.
- Annually: full DR scenario; retention review; cost / scope review.
- On material change: new system = new backup plan BEFORE go-live.
```

## Example invocation

**User:** "40-person London accountancy firm. M365 Business Premium. We think native M365 retention is our backup. Practice-management system is a hosted SaaS. File server on-prem for historical files. Xero for accounting. Budget up to £6k/yr for backup tools."

**What the skill will do:**
1. Ask 12 questions, pressing on: the practice-management SaaS's backup offering (most have export but not true point-in-time), whether the file server has ever been restored, Xero's native export posture, last ransomware risk-assessment.
2. Produce the plan flagging the biggest gap: M365 native retention is NOT a backup, deleted SharePoint sites are gone after 93 days, mailbox data is lost after retention periods. Recommends adding a third-party tool (~£2.5k/yr for the seats).
3. Classify: matter/accounting data = T0 or T1, file server = T1, Xero = T1, M365 = T1.
4. Recommend: AWS S3 + Object Lock for immutable tier (~£400/yr for the data volumes), Veeam M365 Essentials or equivalent, monthly restore tests baseline.
5. Flag that the £6k budget is realistic; the plan lands at ~£4-5k/yr total opex with existing tools reused.

## Notes for the requester

- **Microsoft's native retention is not a backup.** This is the single most common misconception. Native retention covers inadvertent deletion for a retention period; it doesn't recover from malicious deletion, corruption, or full-tenant compromise. Third-party backup is standard practice.
- **SaaS backup is the second most common gap.** "It's in the cloud" is not a backup. If the vendor has an incident or you lose access, your data goes with it.
- **Immutable copy is the single most important ransomware defence.** A copy that cannot be deleted by a compromised admin credential is what stops you paying ransom.
- **Test or it doesn't count.** An untested backup is a hypothesis. Monthly small tests catch degradation before it matters.
- **Don't conflate archive with backup.** Long-term matter archiving and operational backup have different tools, retentions, and recovery patterns. Handle separately.
- **Good looks like:** annual DR test passes within stated RTO, cyber insurer's backup questionnaire answers itself, and every T0/T1 service has a named owner who knows what to do when the alert fires.

---
*VantagePoint Networks · <https://www.vpnetworks.co.uk> · Authored by Hak · Free under the MIT licence*