Has your organization established and documented criteria for determining when incident recovery processes should be initiated based on incident characteristics?
Explanation
Recovery activation criteria are what's being assessed: whether you have defined and documented the thresholds that determine when incident recovery processes kick in.
These criteria should consider factors like incident severity, systems affected, data compromise, operational impact, and recovery resource requirements. Having predefined recovery criteria ensures consistent decision-making during incidents and prevents delays in recovery actions when needed.
Evidence could include a documented incident response plan with a specific section on recovery criteria, decision matrices that map incident types/severity to recovery actions, or runbooks that outline the conditions triggering recovery processes.
Implementation Example
Apply incident recovery criteria to known and assumed characteristics of the incident to determine whether incident recovery processes should be initiated
ID: RS.MA-05.319
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- The criteria for initiating incident recovery are applied
Related questions
- Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
- Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
- Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
- Does your organization have documented criteria for estimating the severity of security incidents?

