11.4
IG1 IG2 IG3

Establish and Maintain an Isolated Instance of Recovery Data 

Control Group: 11. Data Recovery
Asset Type: Data
Security Function: Recover

Description

Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.

Implementation Checklist

1
Define recovery objectives (RTO/RPO)
2
Implement recovery capabilities and procedures
3
Test recovery procedures on a regular schedule
4
Document recovery procedures and contact information
5
Identify critical data and systems requiring backup
6
Configure automated backup schedules
7
Verify backup integrity and test restoration
8
Store backups securely with offsite/air-gapped copies

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Site-Wide Disaster Destroying Local and Backup Data

Availability

A physical disaster (fire, flood, earthquake) or site-wide cyberattack destroys both production data and on-site backup repositories because no isolated or off-site copy of recovery data exists.

Ransomware Propagation to Network-Connected Backup Systems

Availability

Ransomware traverses the network to encrypt backup repositories that are not isolated from the production environment, destroying both primary data and backup copies in a single attack because backups are accessible via standard network paths.

Malicious Administrator Deleting All Data Copies

Availability

A compromised or malicious administrator with access to both production systems and backup infrastructure deletes all copies of critical data because no isolated instance exists outside their administrative reach.

Vulnerabilities (When Safeguard Absent)

No Isolated or Off-Site Backup Instance

All backup data resides on the same network or in the same physical location as production systems, meaning any event that compromises the primary environment also threatens the only recovery copies.

Backup Systems Accessible from Production Network

Backup repositories are mounted as network shares or accessible via standard network protocols from production systems, allowing ransomware, attackers, or compromised accounts to reach and destroy backup data.

Evidence Requirements

Type Evidence Item Collection Frequency
Document Recovery plan documentation Reviewed annually
Record Recovery test results and lessons learned Tested quarterly
Technical Backup job status reports and success rates Reviewed weekly
Record Backup restoration test results Tested quarterly
Document Governing policy document (current, approved, communicated) Reviewed annually