CP-10 Information System Recovery And Reconstitution

Contingency Planning

Low Moderate High

Description

The organization employs mechanisms with supporting procedures to allow the information system to be recovered and reconstituted to a known secure state after a disruption or failure.

Supplemental Guidance

Information system recovery and reconstitution to a known secure state means that all system parameters (either default or organization-established) are set to secure values, security-critical patches are reinstalled, security-related configuration settings are reestablished, system documentation and operating procedures are available, application and system software is reinstalled and configured with secure settings, information from the most recent, known secure backups is loaded, and the system is fully tested.

Changes from Rev 4

Title changed from 'Information System Recovery and Reconstitution' Parameter adds specific recovery time and recovery point objectives

Enhancements

(1) The organization includes a full recovery and reconstitution of the information system as part of contingency plan testing.

MITRE ATT&CK Techniques (12)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Impact 12

Impact

T1485 Data Destruction T1486 Data Encrypted for Impact T1490 Inhibit System Recovery T1491 Defacement T1561 Disk Wipe T1565 Data Manipulation T1485.001 Lifecycle-Triggered Deletion T1491.001 Internal Defacement T1491.002 External Defacement T1561.001 Disk Content Wipe T1561.002 Disk Structure Wipe T1565.001 Stored Data Manipulation

Compliance Mappings

ISO 27001:2022

A.5.29A.5.30

ISO 27002:2022

5.295.30

COBIT 2019

DSS04

CIS Controls v8

CIS 11

NIST CSF 2.0

PR.IR-03RC.RP-01RC.RP-02RC.RP-04RC.RP-05RS.MA-05

SOC 2 TSC

A1.2A1.2-POF1A1.2-POF2A1.2-POF3CC7.4-POF5CC7.5CC9.1CC9.1-POF1

CSA CCM v4

BCR-09CCC-09

CSA AICM v1

BCR-09CCC-09

FINOS CCC

CCC-C13

ISO 42001:2023

A.4.5

IEC 62443

3-3 SR 7.33-3 SR 7.4

NIS2 Directive

Art. 21(2)(c)

MAS TRM

ASD Essential Eight

E8-8

BSI IT-Grundschutz

DER.4

ANSSI

Hygiene.30Hygiene.35SecNumCloud.18.3

FINMA Circular 2023/1

IV.C(70)IV.D(71)IV.D(72)IV.E(89)IV.E(90)

OSFI B-13

B-13.2.6B-13.3.4

EU GDPR

Art.32(1)(c)Art.32(1)(d)

EU DORA

Art.11(1)Art.11(2)Art.11(4)

BIO2

5.295.30

RBI CSF

Annex1.19ITGRCA.29

FISC Security Guidelines

FISC.O5

LGPD + BCB 4893

BCB.Art.3

HKMA TM-E-1

TME1.6.2TME1.6.5

MLPS 2.0

8.1.10.98.1.4.9

DNB Good Practice

DNB.11.1DNB.11.4

EU CRA

CRA.I.2h

NCA ECC

2-93-13-2

UAE IA

T12

CBB TM

TM-14

Qatar NIA

BCOS

CBUAE

CR-13

CBE CSF

OVM-2

SA JS2

JS2-7.5

CBN CSF

Part3.6Part3.7

BoG CISD

CISD-BCM

POPIA

s19

BoM CTRM

5.2

IOSCO Cyber Resilience

PFMI-17RR-2RR-3

BCBS 239

Principle 5

CPMI-IOSCO PFMI

CG.RRPFMI.P17

FFIEC IS

III.D

NYDFS 500

500.16

HIPAA Security Rule

§164.308(a)(7)(i)§164.308(a)(7)(ii)(B)§164.308(a)(7)(ii)(C)§164.312(a)(2)(ii)

ECB CROE

CROE.2.5.2

EBA ICT Guidelines

3.7.23.7.3

SEBI CSCRF

BCP-DRRC.RP

BOT Cyber Resilience

Ch4.2

NERC CIP

CIP-009-6

10 CFR 73.54

RG5.71-B-CP

DOE C2M2 v2.1

RESPONSE

API 1164

Sec 11

IAEA NSS 17-T

Sec 8

ISAE 3402

Clause 4

Solvency II

DR.266-BCPEIOPA-ICT-4.10

Lloyd's Minimum Standards

CRM.3MS8.6

NAIC Insurance Data Security

4F-b

PRA SS1/23

P-IT.3

FCA SYSC 13

SYSC 13.8.1SYSC 13.8.2

HITRUST CSF v11

09.d12.b

FDA 21 CFR Part 11

§11.10(c)

FDA Cybersecurity Guidance

SA-6

ISO 27799

17.29.2

NHS DSPT

NDG-7.2

CCSS v9.0

1.03.2

MiCA

Art.68(5)Art.62(6)

Basel SCO60

SCO60.21SCO60.23SCO60.53SCO60.63

BSSC Standards

NOS-07KMS-10GSP-06

SEC Custody (Digital Assets)

SEC-CD-12

ISO 17799 (legacy)

14.1.4

COBIT 4.1 (legacy)

DS4.8DS11.5