Has your organization defined criteria for selecting recovery actions during incident response, and are these criteria followed when responding to security incidents?
Explanation
Recovery action selection is being evaluated here: whether you have defined criteria for choosing recovery actions during incident response and apply them consistently when incidents occur. Having predefined criteria helps ensure that recovery efforts are systematic, prioritized correctly, and aligned with business needs rather than being ad hoc or inconsistent.
Evidence could include a documented incident response plan with a section on recovery action selection criteria, decision matrices that map incident types to appropriate recovery actions, or post-incident reports showing how recovery decisions were made based on established criteria.
Implementation Example
Select recovery actions based on the criteria defined in the incident response plan and available resources
ID: RC.RP-02.348
Context
- Function
- RC: RECOVER
- Category
- RC.RP: Incident Recovery Plan Execution
- Sub-Category
- Recovery actions are selected, scoped, prioritized, and performed
Related questions
- Has your organization established documented procedures to initiate recovery processes during or immediately following security incident response?
- Have all personnel with recovery responsibilities been formally trained on the recovery plans and their specific authorization levels?
- Does your organization have a process to reassess and update recovery plans based on changes in organizational needs and available resources?
- Does your organization verify restoration assets for integrity issues and indicators of compromise before using them in recovery operations?
- Does your organization use business impact assessments and system categorization records to prioritize the restoration of essential services during recovery operations?
- Does your organization have a documented process for verifying successful system restoration and confirming the return to normal operations after an incident or outage?

