NIST CSF Series #23: Recover – Improvements

NIST CSF Recover - Improvements Banner

Function:   Recover (RC)
Category:  Improvements (IM)

“Recovery planning and processes are improved by incorporating lessons learned into future activities.”

RC.IM-1:  Recover plans incorporate lessons learned

Recovery is executing information system contingency plans activates to restore organization mission/business functions.  It should reflect mission and business priorities and recovery point/time and reconstitution objectives.  The capabilities employed may include both automated mechanisms and manual procedures.

Audit Considerations

Auditors may examine the organization’s documentation of recent cybersecurity events or testing to evaluate if lessons learned are incorporated that identify failed or missing controls.  They may look to see that action items to improve the recovery plans are based on lessons learned and analysis.   These should be documented.


RC.IM-2:  Recovery strategies are updated.

Recovery plans need to be reviewed and updated on a regular basis to ensure they are up to date and relevant to the environment and business needs.

Audit Considerations

Auditors may examine copies of recovery plans and procedures (e.g. Business Continuity Plan, Disaster Recovery Plan, Incident Response Plan) to determine if the plans are reviewed and updated on a regular basis.

Applicable CIS Critical Controls

CIS Control 19 – Incident Response and Management

When an incident occurs, it is too late to develop the right procedures, reporting, data collection, communication, and recovery processes.  Having updated plans that are reviewed on a regular basis for accuracy is critical to have in place prior to an incident.