# 6.1 Recovery Ownership, Priorities, and Readiness

# Goals

Recovery should not begin randomly.

Before systems are restored, accounts are re-enabled, or business processes return to normal, the company should know who leads recovery, what must be restored first, and whether the environment is safe enough to begin.

The goal is to restore operations in the right order without bringing the incident back.

# Step 1: Assign a Recovery Lead

Assign one person to coordinate recovery.

This may be the incident response lead, IT lead, MSP lead, operations manager, or another assigned owner.

The recovery lead is responsible for organizing restoration work, coordinating technical and business owners, tracking progress, confirming readiness, and reporting status to leadership.

Also assign a backup recovery lead.

# Step 2: Confirm Recovery Roles

Identify who needs to support recovery.

Include:

Recovery lead
Backup recovery lead
Executive decision-maker
IT or MSP contact
Backup owner
System owners
Business process owners
SaaS or cloud administrators
Vendor contacts
Legal, compliance, or insurance contacts where needed

Each person should know what they are responsible for restoring, validating, or approving.

# Step 3: Prioritize What Must Be Restored First

Recovery should follow business priority, not convenience.

Identify which systems, data, and processes are most important to restore first.

Common priorities include:

Identity and access systems
Email and communication tools
Finance and payment systems
Payroll and HR systems
Customer service systems
CRM and sales systems
File storage
Accounting systems
Order processing
Production or service delivery systems
Websites and customer portals
Backup and monitoring systems
Remote access tools

Each recovery priority should have a business owner and technical owner.

# Step 4: Confirm Readiness Before Recovery Begins

Do not begin full recovery until the response lead confirms that containment and stabilization are complete enough to proceed.

Before recovery begins, confirm:

Active attacker access has been interrupted.
Compromised accounts are secured.
Affected devices or systems are isolated, cleaned, rebuilt, or ready for restoration.
Known persistence has been removed or controlled.
Exploited weaknesses are patched or mitigated.
Backups are protected.
Restore points are reviewed for likely cleanliness.
Critical logs and alerts are working.
Admin access is restricted.
Business leadership understands remaining risks.

If these conditions are not met, recovery may restore the same problem.

# Step 5: Create a Recovery Priority List

Create a short recovery priority list before restoration begins.

Suggested fields:

System, data, or process
Business owner
Technical owner
Recovery priority
Dependency
Backup or rebuild source
Readiness status
Approval required
Expected recovery time
Validation owner
Notes

This list helps the company recover in a controlled order and avoid missing key dependencies.

# Step 6: Approve the Start of Recovery

Before recovery begins, record approval from the recovery lead and executive decision-maker where needed.

Record:

Date and time
Who approved recovery
What is approved for restoration
What is not yet approved
Known risks
Required monitoring
Next status update time

Recovery should start with a clear decision, not an assumption.

# Expected Outputs from This Section

At the end of this section, the company should have:

A named recovery lead.
A backup recovery lead.
Recovery roles assigned.
Recovery priorities defined.
Business and technical owners identified.
Readiness confirmed before restoration begins.
A recovery priority list.
Approval to begin recovery.
Known risks documented.

# Objective

Recovery should be led, prioritized, and approved.

A company should leave this section able to say:

“We know who leads recovery, what comes back first, who owns each system, and whether it is safe to begin.”

That is recovery ownership, priorities, and readiness.