Framework Category
Incident Recovery Plan Execution
Incident Recovery Plan Execution involves restoring systems and operations after an incident.
It includes verifying backup integrity, prioritizing recovery actions, ensuring restored assets are secure, and reestablishing normal operations.
Recovery concludes when predefined criteria are met and documentation is finalized.
Implementation Questions
RC.RP-01
The recovery portion of the incident response plan is executed once initiated from the incident response process
Has your organization established documented procedures to initiate recovery processes during or immediately following security incident response?
This question assesses whether your organization has formalized procedures that link incident response activities with recovery operations, ensuring business continuity. Recovery procedures should be triggered at appropriate points during incident handling to minimize downtime and data loss, rather than waiting until all response activities are complete.
Have all personnel with recovery responsibilities been formally trained on the recovery plans and their specific authorization levels?
This question assesses whether your organization has properly prepared staff who will be involved in disaster recovery or business continuity operations. Proper awareness ensures that during a crisis, personnel understand their roles, know what actions they're authorized to take, and can execute recovery procedures without delays or confusion.
RC.RP-02
Recovery actions are selected, scoped, prioritized, and performed
Has your organization defined criteria for selecting recovery actions during incident response, and are these criteria followed when responding to security incidents?
This question assesses whether your organization has established clear guidelines for determining appropriate recovery actions during security incidents and consistently applies these guidelines when incidents occur. Having predefined criteria helps ensure that recovery efforts are systematic, prioritized correctly, and aligned with business needs rather than being ad hoc or inconsistent.
Does your organization have a process to reassess and update recovery plans based on changes in organizational needs and available resources?
This question evaluates whether your organization regularly reviews and adjusts its disaster recovery and business continuity plans to reflect current business priorities and resource availability. As organizations evolve, their recovery requirements and capabilities change, requiring updates to recovery time objectives, recovery point objectives, and recovery strategies.
RC.RP-03
The integrity of backups and other restoration assets is verified before using them for restoration
RC.RP-04
Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms
Does your organization use business impact assessments and system categorization records to prioritize the restoration of essential services during recovery operations?
This question assesses whether your organization has a structured approach to service restoration based on business criticality during incidents or disasters. By using business impact assessments and system categorization records, organizations can ensure that the most critical services are restored first, minimizing business disruption and financial impact. This approach helps align IT recovery efforts with actual business priorities rather than technical considerations alone.
Does your organization have a documented process for verifying successful system restoration and confirming the return to normal operations after an incident or outage?
This question assesses whether your organization has formal procedures to validate that systems have been properly restored following incidents, maintenance, or outages. The process should include verification steps with system owners to confirm functionality, data integrity, and that business operations can resume normally.
Does your organization have a process to monitor and verify the performance of restored systems after recovery operations?
After system restoration following an incident or disaster, it's crucial to verify that systems are functioning properly and meeting performance expectations. This monitoring helps identify any lingering issues that might affect system functionality, security posture, or data integrity that weren't immediately apparent during the restoration process.
RC.RP-05
The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed
Does your organization scan restored assets for indicators of compromise and verify remediation of root causes before returning them to production use?
After a security incident, restored systems or data may still contain hidden malware, backdoors, or vulnerabilities that caused the original compromise. This question assesses whether your organization performs security validation before reintroducing recovered assets into the production environment, which helps prevent reinfection and recurrence of the same incident. For example, after restoring a server from backup following a ransomware attack, you should scan it for persistent malware and verify that the vulnerability that allowed initial access has been patched.
Does your organization validate the integrity and completeness of restored systems before returning them to production?
This question assesses whether your organization has a verification process to ensure restored systems are functioning correctly and securely before they're put back into production use. This includes checking that all critical components, data, configurations, and security controls have been properly restored and are operating as expected.
RC.RP-06
The end of incident recovery is declared based on criteria, and incident-related documentation is completed
Does your organization create after-action reports following security incidents that document the incident details, response actions taken, recovery procedures, and lessons learned?
After-action reports are critical documents that capture the complete lifecycle of a security incident, from detection through resolution, and identify opportunities for improvement. These reports help organizations learn from incidents, refine response procedures, and prevent similar incidents in the future by documenting what happened, how the team responded, what worked well, and what could be improved.
Has your organization established formal criteria for declaring the end of an incident recovery phase?
Defining clear criteria for when an incident is considered resolved helps ensure all necessary recovery steps are completed and normal operations can resume. These criteria might include system stability for a defined period, confirmation that vulnerabilities have been addressed, verification that no malicious activity remains, and completion of all required documentation.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
