Has your organization established documented procedures to initiate recovery processes during or immediately following security incident response?
Explanation
Linking response to recovery is the concern here, specifically whether you have documented procedures to kick off recovery during or right after incident response. Recovery procedures should be triggered at appropriate points during incident handling to minimize downtime and data loss, rather than waiting until all response activities are complete.
Evidence could include a documented incident response plan with clearly defined recovery trigger points, runbooks that show the handoff between incident response and recovery teams, or post-incident reports demonstrating how recovery procedures were initiated during recent security incidents.
Implementation Example
Begin recovery procedures during or after incident response processes
ID: RC.RP-01.346
Context
- Function
- RC: RECOVER
- Category
- RC.RP: Incident Recovery Plan Execution
- Sub-Category
- The recovery portion of the incident response plan is executed once initiated from the incident response process
Related questions
- Have all personnel with recovery responsibilities been formally trained on the recovery plans and their specific authorization levels?
- Has your organization defined criteria for selecting recovery actions during incident response, and are these criteria followed when responding to security incidents?
- Does your organization have a process to reassess and update recovery plans based on changes in organizational needs and available resources?
- Does your organization verify restoration assets for integrity issues and indicators of compromise before using them in recovery operations?
- Does your organization use business impact assessments and system categorization records to prioritize the restoration of essential services during recovery operations?
- Does your organization have a documented process for verifying successful system restoration and confirming the return to normal operations after an incident or outage?

