iso27diy-corp/Corpus/Standards/SANS/SANS Incident Response step 5 Recovery.md at main

Richard Kranendonk ff77508bd1 Vault restructure

2026-04-23 11:51:51 +02:00

The goal of recovery is to bring all systems back to full operation, after verifying they are clean and the threat is removed.

The SANS recovery procedure involves:

Defining time and date to restore operations—system owners should make the final decision on when to restore services, based on information from the CSIRT.
Test and verifying—ensuring systems are clean and fully functional as they go live.
Monitoring—ongoing monitoring for some time after the incident to observe operations and check for abnormal behaviors.
Do everything to prevent another incident—considering what can be done on the restored systems to protect them from recurrence of the same incident.