This phase involves developing and implementing measures to restore systems, services, and data affected by cybersecurity incidents. This includes creating data backup and restoration processes, conducting post-incident reviews, and implementing improvements to prevent similar incidents in the future.

Recovery Planning (RC.RP):

Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.

  • RC.RP-1: Recovery plan is executed during or after a cybersecurity incident

Improvements (RC.IM):

Recovery planning and processes are improved by incorporating lessons learned into future activities.

  • RC.IM-1: Recovery plans incorporate lessons learned
  • RC.IM-2: Recovery strategies are updated

Communications (RC.CO):

Restoration activities are coordinated with internal and external parties (e.g. Internet Service Providers, owners of exploited systems, victims, and vendors).

  • RC.CO-1: Public relations are managed
  • RC.CO-2: Reputation is repaired after an incident
  • RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams