CP-2 / CP-8 / A.17.1.2 / A.17.2.1 NIST SP 800-34 Rev 1

Have you identified the top 5 systems that must come back first (and the dependencies between them)?

Demonstrate that the organization has documented, validated, and maintains an accurate prioritized recovery sequence for its five most critical systems including all interdependencies required for successful restoration.

Description

What this control does

This control requires the organization to formally identify and document the top five critical systems that must be restored first following a disaster or major outage, along with their technical and operational dependencies. The prioritization is based on business impact analysis, regulatory requirements, and operational criticality. Dependencies include upstream systems (authentication, network services, databases) and downstream consumers that rely on each priority system, ensuring recovery occurs in the correct sequence to avoid cascading failures.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Recovery efforts focus on non-critical systems first, extending downtime for business-critical operations and increasing revenue loss
Attempts to restore priority systems fail because prerequisite dependencies (DNS, Active Directory, network infrastructure) are not recovered first
Recovery teams restore systems in incorrect order causing cascading failures when dependent systems cannot communicate or authenticate
Lack of documented dependencies leads to prolonged troubleshooting during actual disaster events when time-to-recovery is critical
Business continuity plans fail during execution because recovery time objectives (RTOs) for critical systems become unachievable
Regulatory penalties accrue when mandated critical services remain unavailable beyond compliance-required recovery timeframes
Resource allocation during recovery is inefficient as teams work on lower-priority systems while critical systems remain offline

Testing procedure

How an auditor verifies this control

Request and review the current Business Impact Analysis (BIA) and disaster recovery plan documentation that identifies critical systems
Verify the documented list explicitly identifies the top five systems prioritized for recovery with assigned priority rankings
Obtain the dependency mapping documentation showing technical dependencies (network, authentication, data sources) for each of the five priority systems
Interview IT recovery team leads and application owners to validate their awareness of the priority sequence and dependencies
Review evidence that the prioritization methodology incorporated RTO/RPO requirements, business impact analysis, and regulatory obligations
Examine records of the most recent disaster recovery exercise or tabletop to verify the priority sequence and dependencies were tested
Cross-reference the identified dependencies against network diagrams, application architecture documents, and configuration management databases
Verify the priority list and dependency map have been reviewed and updated within the past 12 months or after significant infrastructure changes

Evidence required Auditors collect the formal Business Impact Analysis report with system criticality rankings, the disaster recovery plan with documented top-five priority systems and recovery sequence, dependency mapping diagrams showing technical and operational relationships between systems, minutes or reports from disaster recovery exercises demonstrating the priority sequence was tested, and change management records showing the documentation was reviewed and approved within the audit period.

Pass criteria The control passes if the organization has documented the top five priority systems for recovery with complete dependency mapping, the prioritization is based on formal BIA methodology, recovery teams demonstrate awareness of the sequence, and the documentation has been tested and updated within the past 12 months.