CIS Control 11: Data Recovery

DEEP DIVE

Focuses on data backup and recovery processes. Updating to integrate with the main CIS Critical Security Controls v8 structure via direct links.

Updated 4/12/2026cis, controls, backup, data-recovery, v8

The core objective of CIS Control 11 is to establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. As a critical pillar within CIS Critical Security Controls Version 8, this control ensures that an organization can rapidly recover its essential data and systems following malicious attacks, hardware failures, or human error.

Why is Data Recovery Critical?

In the cybersecurity triad—Confidentiality, Integrity, and availability—the availability of data is often the most pressing requirement for continuous business operations. Organizations rely heavily on diverse datasets to make business decisions; when this information is unavailable or untrusted, the impact on the enterprise can be catastrophic.

When threat actors compromise systems, they routinely alter configurations, elevate privileges, add malicious accounts, and deploy destructive scripts. These changes can be exceptionally difficult to untangle. Attackers may corrupt trusted applications with malicious variants or mask their activities behind standard-looking account names. Malicious actions—such as modifying registry entries, opening unauthorized ports, disabling security services, or deleting logs—render systems fundamentally insecure. Notably, these identical system impacts can also result from innocent human error. In either scenario, organizations must possess recent backups or mirrors to restore their infrastructure to a known trusted state.

The Rise of Ransomware and Extortion

There has been an exponential rise in ransomware over the last few years. While not a novel threat, it has become heavily commercialized and organized. Having a robust backup strategy allows an organization to reliably recover encrypted systems without paying a ransom.

However, modern ransomware frequently utilizes a double-extortion technique: data is exfiltrated before it is encrypted. The attacker demands payment not just to restore functionality, but to prevent the stolen data from being sold or published. In these edge cases, data recovery only resolves the operational disruption; it does not protect the confidentiality of the exfiltrated data. Consequently, data recovery must be paired with proactive measures like CIS Control 10: Malware Defenses and robust CIS Control 17: Incident Response Management to mitigate the full spectrum of extortion risks.

Procedures and Implementation Strategy

Data recovery procedures must be tightly integrated with the broader data management frameworks outlined in CIS Control 3: Data Protection. Developing an effective data recovery strategy involves defining specific backup procedures based on data value, sensitivity, and regulatory retention requirements.

Organizations must map out their backup architecture by determining:

  • Backup Scope: Which enterprise assets and data repositories are in-scope for automated backups.
  • Frequency and Type: The optimal cadence for backups (e.g., daily, weekly) and the appropriate methodology (full, differential, or incremental backups) based on the organization's Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
  • Prioritization: The sequence in which systems must be restored to maintain critical business operations.

Testing and Restoration Validation

A backup is only valuable if it can be successfully restored. Once per quarter—or whenever a new backup process or technology is introduced—a designated testing team must evaluate a random sampling of backups.

This evaluation requires attempting to restore the backups within a secure, isolated test bed environment. Teams must verify that the operating system, the installed applications, and the underlying data are all completely intact and functional.

Malware Infection Protocols: In the event of an active malware or ransomware infection, standard restoration procedures must be adjusted. Responders must identify the timeline of the initial compromise and utilize a backup version that strictly predates the original infection to avoid re-introducing the malicious payload into the restored environment.

Safeguards Overview

CIS Control 11 outlines three critical Safeguards that apply across all Implementation Groups (IG1, IG2, and IG3):

11.1 Establish and Maintain a Data Recovery Process

Organizations must formally establish and maintain a comprehensive data recovery process. This documentation must explicitly address the scope of recovery activities, system prioritization during an outage, and the security measures protecting the backup data itself. Documentation must be reviewed and updated annually, or whenever significant enterprise changes occur that could impact the recovery architecture.

11.2 Perform Automated Backups

Manual backups are prone to human error and inconsistency. Organizations must perform automated backups of all in-scope enterprise assets. At a minimum, these automated backups should run on a weekly basis, though they should occur much more frequently depending on the sensitivity and criticality of the data being protected.

11.3 Protect Recovery Data

Backup repositories are high-value targets for threat actors seeking to ensure their ransomware payload is effective. Recovery data must be fiercely protected against unauthorized modification, deletion, or encryption. This typically involves enforcing strict access controls, utilizing offline or immutable backup storage, and ensuring backups are logically separated from the primary production network.