RC.RP-01 Recovery Plan Execution - NIST CSF 2.0 Checklist

RC.RP-01 requires organizations to the recovery portion of the incident response plan is executed once an incident is contained. This NIST CSF 2.0 control falls under the Recover (RC) function and the Incident Recovery Plan Execution category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: RC.RP-01
Title: Recovery Plan Execution
Function: Recover (RC)
Category: Incident Recovery Plan Execution
Framework: NIST CSF 2.0

The recovery portion of the incident response plan is executed once an incident is contained.

The recovery portion of the incident response plan is executed once an incident is contained. Recovery restores affected systems and services to normal operation while implementing controls to prevent recurrence.

Why This Matters

Poorly managed recovery extends downtime and can reintroduce the same vulnerability the attacker exploited. Structured recovery ensures services are restored securely and verified before returning to production.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of RC.RP-01.

Execute recovery procedures defined in the incident response plan
Restore systems from known-good backups after verifying backup integrity
Apply patches or configuration changes to address the exploited vulnerability
Verify system integrity before returning recovered systems to production
Monitor recovered systems with enhanced logging for a defined period
Communicate recovery status and timelines to affected stakeholders

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with RC.RP-01 during an audit.

Recovery procedure documentation within the incident response plan
Backup restoration logs with integrity verification records
Patch or configuration change records addressing root cause
System integrity verification reports before production return
Enhanced monitoring configuration for recovered systems

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with RC.RP-01.

Recovery procedures are not documented and recovery is improvised
Systems are restored without patching the vulnerability that was exploited
No enhanced monitoring is applied to recovered systems to detect re-compromise

FAQ

What does RC.RP-01 require?

RC.RP-01 (Recovery Plan Execution) requires that the recovery portion of the incident response plan is executed once an incident is contained. Recovery restores affected systems and services to normal operation while implementing controls to prevent recurrence. This control is part of the NIST CSF 2.0 Recover function under the Incident Recovery Plan Execution category.

How do I prove compliance with RC.RP-01?

To demonstrate compliance with RC.RP-01, prepare the following evidence: Recovery procedure documentation within the incident response plan; Backup restoration logs with integrity verification records; Patch or configuration change records addressing root cause. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment