CIS Controls v8.1 Data Recovery Policy Template

This Data Recovery Policy is meant as a foundational guide for enterprises that need help drafting their own enterprise data recovery policy. Enterprises are encouraged to use this policy template in whole or in part. With that said, there are multiple decisions points and areas that must be tailored to your enterprise. In CIS Controls v8.1, Control 11 states:

Control 11 – Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

To support this Safeguard, it is important for an enterprise to develop a Data Recovery Policy. This document may include detailed steps for planning, taking backups, testing them, and actually recovering from an incident. Additionally, there should also be a portion of the policy that integrates with the Incident response plan, and other associated compliance and communication plans. This document supports the development of a process for managing and protecting recovery data in the enterprise and the implementation of Safeguards in this CIS Control.

This policy template is meant to supplement the CIS Controls v8.1. The policy statements included within this document can be used by all CIS Implementation Groups (IGs) but are specifically geared towards Safeguards in Implementation Group 1 (IG1). In Appendix E, Safeguards unique to IG1 are specifically highlighted for ease of use. For more information on the CIS Implementation Groups, see Appendix A. Additionally, a glossary in Appendix B is provided for guidance on terminology used throughout the document. Future versions of this template may expand the scope to Implementation Group 2 (IG2) Safeguards. IG2 and IG3 enterprises may feel the need to add sections that go beyond IG1 and are welcome to do so. Depending on the enterprise’s sector or mission, other policy statements may also need to be added or removed. This is encouraged as this policy needs to be molded and fit to the enterprise’s needs.