rs-ma-5 high Respond / Incident Management

Apply the criteria for initiating incident recovery

Moving to recovery too early can reintroduce threats before they are fully eradicated, while waiting too long prolongs downtime and business impact. Defined recovery criteria give the incident commander a clear checklist of conditions that must be satisfied before systems are restored. This control prevents the common mistake of declaring an incident over based on intuition rather than verified evidence of containment and remediation.

Estimated effort: 2h

recovery-criteriaincident-closurecontainment

Complete first: rs-ma-3

Implementation steps

1

Document recovery initiation criteria in the IR plan

Define the specific conditions that must be met before recovery begins. These typically include: threat actor removed from environment, all affected systems identified, root cause determined, and relevant stakeholders have approved the transition to recovery.

confluencenotiongoogle-docs
2

Conduct a pre-recovery checklist review

Before initiating recovery, the incident commander runs through the documented checklist with the response team. Each criterion is confirmed as met or acknowledged as an accepted exception with documented rationale.

jiraservicenowconfluence
3

Record the recovery decision and transition the incident

Document the outcome of the pre-recovery review in the incident ticket, including who approved the transition and which checklist items were satisfied. Update the incident status to reflect the move from response to recovery phase.

jiraservicenowpagerduty