Recovery it is important to point out that not every incident will result in an outage or require any sort of restoration, reconstitution of a system, or in any practical sense of the word. For example, you can have incidents that are violations of policies but have little to no negative impact on the organization. In situations like that, there is no applicable recovery step. This section serves to illustrate where in the cycle the recovery step would be performed, if applicable.
Just as in disaster recovery, an incident recover team with the appropriate skills and training must be identified prior to the incident. The members of the team may overlap with the IR team or may be an entirely separate team. They should follow a set of predefined recovery steps, which may already be covered within the IR plan and procedures, or they may be called out in a separate recover plan. The assembly of this team and the creation of the plan should be done with close consideration given to the criticality of the organization’s systems and their business impact analysis (BIA). The conditions under which these recover plans may be invoked, and the list of people authorized to do so, should also be defined in advance.
When the recovery team responds to an incident, the recover plan is invoked. They begin to restore services and capabilities incrementally, over time, according to their relative criticality. The recover may happen in stages, according to predefined intermediate recovery goals and milestones. During this time, some services might continue to operate in a diminished capacity.
