Recovery procedures are documented and tested

Implementation steps

1. 1

   Document step-by-step recovery procedures for critical systems

   For each critical system identified in your data inventory, write a detailed recovery runbook. Include: where backups are stored and how to access them, the exact steps to restore from backup, how to verify the restored system is intact and not still compromised, and who needs to be notified when recovery is complete. The runbook must be usable by someone who has never performed the recovery before.

   confluence notion github google-docs runbook-io
2. 2

   Define RTO and RPO targets for each critical system

   Recovery time objective (RTO) is how long you can afford to be down. Recovery point objective (RPO) is how much data you can afford to lose. Document these targets for each critical system, get business stakeholder sign-off on them, and verify that your backup frequency and restore speed actually meet the targets. A daily backup cannot meet a 2-hour RPO.

   confluence google-sheets notion drata vanta
3. 3

   Test full restoration at least annually and measure against RTO and RPO

   Perform a full restoration test for each critical system at least once a year. Time the restoration process end to end and compare it against your RTO target. Restore to an isolated environment, not to production, to avoid overwriting live data. Document any failures or gaps encountered during the test and fix them before the next test. Share test results with leadership.

   aws-backup veeam azure-backup confluence drata

Evidence required