RC.RP-1: Recovery Plan Execution
Recovery plan execution is your organization's ability to restore systems and data after a cybersecurity incident strikes. Under NIST CSF RC.RP-1, you must activate documented recovery procedures during or immediately after an incident to minimize downtime and data loss. This control separates organizations that survive breaches from those that collapse under them.
What this means
RC.RP-1 requires that your organization has pre-developed recovery plans and executes them promptly when a cybersecurity incident occurs. This means maintaining documented, tested procedures for restoring critical systems, applications, and data; activating these procedures the moment an incident is detected or suspected; and coordinating response teams to follow the plan systematically. The control emphasizes that recovery is not ad-hoc—it's a structured, pre-planned process validated through drills and real incidents.
How to comply
- 1.Document recovery procedures for all critical systems, applications, and data repositories
- 2.Define clear recovery time objectives (RTO) and recovery point objectives (RPO) for each asset
- 3.Designate recovery roles and responsibilities, including decision-makers and execution teams
- 4.Establish activation triggers and escalation procedures for initiating recovery plan execution
- 5.Test recovery plans quarterly through tabletop exercises and annual full-scale simulations
- 6.Maintain updated contact lists, access credentials, and recovery documentation off-site
- 7.Create automated alerts to notify recovery teams when incident severity thresholds are met
- 8.Document each recovery execution with timeline, actions taken, and post-incident learnings
- 9.Review and update plans annually or whenever critical infrastructure, personnel, or processes change
Evidence auditors look for
- Documented recovery plans with specific procedures for each critical system
- RTO/RPO matrices showing recovery targets by business function or asset
- Records of recovery plan testing, drills, and exercises with attendance and results
- Incident response logs showing plan activation during actual cybersecurity incidents
- Recovery team contact lists and role assignments with current owner information
- Off-site storage of recovery documentation, credentials, and backup media
- Change log showing plan updates tied to infrastructure or organizational changes
- Post-incident review reports documenting recovery execution effectiveness
- Automated alerting configuration triggering recovery team notifications
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates recovery plan tracking by monitoring test execution dates, maintaining version-controlled procedures, and alerting when plans exceed their review intervals—ensuring your recovery procedures stay current without manual calendar management.
See how GRCWatch handles this control automatically
Start free trial