IG1 IG2 IG3

Establish and Maintain a Data Recovery Process

Control Group: 11. Data Recovery

Asset Type: Data

Security Function: Recover

Description

Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1

Define recovery objectives (RTO/RPO)

2

Implement recovery capabilities and procedures

3

Test recovery procedures on a regular schedule

4

Document recovery procedures and contact information

5

Identify critical data and systems requiring backup

6

Configure automated backup schedules

7

Verify backup integrity and test restoration

8

Store backups securely with offsite/air-gapped copies

9

Draft policy/procedure document

10

Obtain stakeholder review and approval

11

Communicate to affected personnel

12

Schedule periodic review and updates

Tool Recommendations

Veeam Data Platform Gartner MQ Leader, Enterprise Backup & Recovery 2024

Enterprise backup, recovery, and data security platform for virtual, physical, cloud, and SaaS workloads

Veeam · Per-workload subscription

Commvault Cloud Gartner MQ Leader, Enterprise Backup & Recovery 2024

Enterprise data protection platform with backup, recovery, ransomware detection, and cyber deception

Commvault · Per-workload subscription

Rubrik Security Cloud Gartner MQ Leader, Enterprise Backup & Recovery 2024

Zero Trust data security platform with immutable backups, ransomware monitoring, and automated recovery

Rubrik · Per-workload subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Ransomware Destroying Data with No Recovery Path

Availability

Ransomware encrypts critical business data and the organization has no documented recovery process, recovery priorities, or tested procedures, resulting in chaotic response, extended downtime, and potential permanent data loss.

Extended Outage from Undefined Recovery Priorities

Availability

A major incident destroys data across multiple systems, and without a documented recovery process defining which systems and data sets to restore first, teams waste time recovering low-priority systems while critical business operations remain offline.

Backup Data Compromise Due to Undefined Security Requirements

Confidentiality

Backup data is stored without encryption or access controls because the recovery process documentation does not address backup security requirements, allowing attackers to access sensitive backup data or encrypt backup repositories.

Vulnerabilities (When Safeguard Absent)

No Documented Data Recovery Process

The organization has no written data recovery process defining recovery scope, priorities, responsible parties, or procedures, leaving data recovery dependent on ad-hoc individual knowledge during crisis situations.

Undefined Recovery Prioritization and RTO/RPO Targets

Without a documented recovery process, the organization has no defined Recovery Time Objectives (RTO) or Recovery Point Objectives (RPO) for different data classifications, preventing informed decisions about backup frequency and recovery sequencing.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Recovery plan documentation	Reviewed annually
Record	Recovery test results and lessons learned	Tested quarterly
Technical	Backup job status reports and success rates	Reviewed weekly
Record	Backup restoration test results	Tested quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Backup and Recovery Policy

Control 11

Related Safeguards in Control 11

11.2 Perform Automated Backups

11.3 Protect Recovery Data

11.4 Establish and Maintain an Isolated Instance of Recovery Data

11.5 Test Data Recovery