CIS Control 11 Explained: Data Recovery
CIS Control 11 involves data recovery. This means to establish and maintain data recovery plans and processes for enterprise assets in case incidents occur, so that they can be restored to a pre-incident trusted state.
In this article
The Importance of Control 11
Cybersecurity and Information Technology (IT) incidents are inevitable since no system is perfect and failures can occur due to accidents or human error. Having data recovery procedures in place enables organizations to quickly recover from cyberattacks that disrupt systems. Recent backups are vital for restoring business operations to a trusted state.
Ransomware attacks have surged recently, becoming more organized and profitable. While not new, their frequency has increased significantly. When attackers encrypt data and demand a ransom, a recent backup can help restore operations. However, ransomware has evolved into an extortion tactic, with attackers exfiltrating data before encryption and demanding payment to prevent its sale or public exposure. In these cases, while restoring from a backup aids recovery, it may not resolve the entire issue. Though it still remains a critical step in minimizing damage.
Implementation Groups (IGs)
To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.
For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.
The Safeguards of Control 11
There are five safeguards in CIS Control 11. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.
| Safeguard Number | Safeguard Title | NIST Security Function | StartingImplementation Group |
| Safeguard 11.1 | Establish and Maintain a Data Recovery Process | Govern | IG1 |
| Safeguard 11.2 | Perform Automated Backups | Recover | IG1 |
| Safeguard 11.3 | Protect Recovery Data | Protect | IG1 |
| Safeguard 11.4 | Establish and Maintain an Isolated Instance of Recovery Data | Recover | IG1 |
| Safeguard 11.5 | Test Data Recovery | Recover | IG2 |