Skip to main content
Version date: 19 October 2020 - onwards

5. Restoration and recovery

Organisations restore systems or assets affected by a cyber incident to safely recover business- as-usual operations and delivery of impacted services.

28. Prioritisation. Organisations prioritise recovery activities based on the criticality of business operations, systems and supported services that drive security and restoration requirements. In order to classify the criticality of processes and systems, metrics like RTO and RPO or tiered criticality levels are used. All internal and external stakeholders are updated regularly and made aware of the conditions to be met or restrictions, before recovering critical operations.

29. Data restoration. Organisations restore data, including data maintained at third-party service providers, to meet business operations or service requirements. To provide assurance on data integrity (i.e. not been tampered or corrupted before restoration), organisations perform checks such as validating checksums and reconciliation to ensure data is consistent between systems when recovering from a cyber incident. To ensure data integrity, accessibility and readability, organisations perform on a regular basis data restoration tests at non-production environments.

30. "Golden source" data. Where appropriate, organisations restore backup data kept in another system, which is segregated (either physically or logically) from the main system and ensure that both systems are not directly connected. The "golden source" backup data are securely protected from unauthorised access or corruption.