Recover
Restore assets and operations affected by a cybersecurity incident. Get back to normal — and come back stronger than before.
Come Back Stronger
The incident is contained. The threat is neutralized. Now what? Recover is the function that brings operations back to normal and ensures the organization learns from what happened. Recovery that doesn’t include improvement is just resetting the clock until the next incident.
Categories
- RC.RP — Incident Recovery Plan Execution — Restoration activities are performed to ensure operational availability of affected systems and services
- RC.CO — Incident Recovery Communication — Restoration activities and progress are communicated to designated internal and external stakeholders
Key Concepts
Recovery plans exist before the incident. RC.RP doesn’t mean “figure out how to rebuild when the time comes.” It means tested, documented recovery procedures with defined RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives). How long can you be down? How much data can you lose?
Backup integrity is a recovery concern. If your backups are compromised, encrypted by ransomware, or untested, your recovery plan is fiction. Test restores regularly. Maintain offline or immutable backups. Verify integrity.
Communication during recovery is different from incident communication. RC.CO is about progress updates — stakeholders need to know when services will be restored, what’s been recovered, what’s still in progress. Uncertainty during recovery erodes trust faster than the incident itself.
Lessons learned feed back into Govern. Every recovery should produce a post-incident review that identifies what worked, what failed, and what changes are needed. Those changes flow back through Govern into updated policies, risk assessments, and control implementations. The wheel turns.