GRCWatch
Sign inStart free trial

RC.IM-2: Recovery Strategy Updates

Recovery strategies must evolve as your organization's infrastructure, threats, and business priorities change. RC.IM-2 ensures your incident recovery plans remain effective and aligned with current operational realities. This control is foundational to maintaining resilience when incidents occur.

What this means

RC.IM-2 requires organizations to regularly review and update their recovery strategies to address changes in systems, processes, threat landscape, and business objectives. Recovery strategies encompass the methods, resources, and timelines needed to restore critical functions after a security incident. Updates should reflect lessons learned from past incidents, new vulnerabilities, evolved business dependencies, and changes to regulatory requirements.

How to comply

  1. 1.Establish a schedule for regular recovery strategy reviews (quarterly or annually minimum)
  2. 2.Document all changes to critical infrastructure, applications, and business processes that impact recovery needs
  3. 3.Incorporate findings from incident response debriefs and near-miss analyses into strategy updates
  4. 4.Review and test updated recovery objectives (RTO) and recovery point objectives (RPO) for all critical systems
  5. 5.Update recovery procedures, contact lists, and backup verification processes to reflect current architecture
  6. 6.Communicate updated strategies to all teams responsible for recovery execution
  7. 7.Validate that recovery procedures remain technically feasible with current infrastructure and staffing

Evidence auditors look for

  • Recovery strategy documentation with version history and documented review dates
  • Change logs showing updates tied to infrastructure modifications or threat assessments
  • Meeting minutes from cross-functional recovery strategy review sessions
  • Updated RTO/RPO definitions aligned with current business criticality assessments
  • Recovery procedure documentation reflecting current system configurations
  • Incident debrief reports that resulted in strategy revisions
  • Test results validating updated recovery procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates recovery strategy tracking and version control, alerting you when reviews are due and consolidating approval workflows—eliminating scattered spreadsheets and ensuring no update gets lost.

See how GRCWatch handles this control automatically

Start free trial

Related controls

RC.IM-1 — Recovery Plan and ProceduresRC.CO-1 — Incident Recovery OperationsRC.CO-2 — Incident Recovery CommunicationsID.RA-1 — Asset Vulnerability ManagementPR.IP-3 — Configuration Management