IG1 IG2 IG3

Establish and Maintain an Isolated Instance of Recovery Data

Control Group: 11. Data Recovery

Asset Type: Data

Security Function: Recover

Description

Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.

Implementation Checklist

1

Define recovery objectives (RTO/RPO)

2

Implement recovery capabilities and procedures

3

Test recovery procedures on a regular schedule

4

Document recovery procedures and contact information

5

Identify critical data and systems requiring backup

6

Configure automated backup schedules

7

Verify backup integrity and test restoration

8

Store backups securely with offsite/air-gapped copies

Tool Recommendations

Veeam Data Platform Gartner MQ Leader, Enterprise Backup & Recovery 2024

Enterprise backup, recovery, and data security platform for virtual, physical, cloud, and SaaS workloads

Veeam · Per-workload subscription

Commvault Cloud Gartner MQ Leader, Enterprise Backup & Recovery 2024

Enterprise data protection platform with backup, recovery, ransomware detection, and cyber deception

Commvault · Per-workload subscription

Rubrik Security Cloud Gartner MQ Leader, Enterprise Backup & Recovery 2024

Zero Trust data security platform with immutable backups, ransomware monitoring, and automated recovery

Rubrik · Per-workload subscription

Cohesity DataProtect Gartner MQ Leader, Enterprise Backup & Recovery 2024

Modern data management platform with backup, recovery, ransomware protection, and data governance capabilities

Cohesity · Per-workload subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Site-Wide Disaster Destroying Local and Backup Data

Availability

A physical disaster (fire, flood, earthquake) or site-wide cyberattack destroys both production data and on-site backup repositories because no isolated or off-site copy of recovery data exists.

Ransomware Propagation to Network-Connected Backup Systems

Availability

Ransomware traverses the network to encrypt backup repositories that are not isolated from the production environment, destroying both primary data and backup copies in a single attack because backups are accessible via standard network paths.

Malicious Administrator Deleting All Data Copies

Availability

A compromised or malicious administrator with access to both production systems and backup infrastructure deletes all copies of critical data because no isolated instance exists outside their administrative reach.

Vulnerabilities (When Safeguard Absent)

No Isolated or Off-Site Backup Instance

All backup data resides on the same network or in the same physical location as production systems, meaning any event that compromises the primary environment also threatens the only recovery copies.

Backup Systems Accessible from Production Network

Backup repositories are mounted as network shares or accessible via standard network protocols from production systems, allowing ransomware, attackers, or compromised accounts to reach and destroy backup data.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Recovery plan documentation	Reviewed annually
Record	Recovery test results and lessons learned	Tested quarterly
Technical	Backup job status reports and success rates	Reviewed weekly
Record	Backup restoration test results	Tested quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Backup and Recovery Policy

Control 11

Related Safeguards in Control 11

11.1 Establish and Maintain a Data Recovery Process

11.2 Perform Automated Backups

11.3 Protect Recovery Data

11.5 Test Data Recovery