News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Data Recovery
Minimum Cyber Security Standards

Data Recovery

Data recovery capabilities are adopted by organisations to assist in protecting business-critical and externally facing systems from risks concerning data loss.

Roles & Audiences

IT Specialist Decision makers Government

PUBLISHED DATE: 30 October 2025

Intent of this Standard

Data recovery relates to the process of retrieving deleted, inaccessible, lost, corrupted, or damaged digital information.

In the context of data-loss implications, data recovery is an essential tool in risk mitigation and in maintaining business continuity. With more people working remotely, the risks increase as many employees use their own devices, or work on shared computers. Data recovery protects an organisation by maintaining uptime and minimising impacts on productivity.

Data recovery in the context of this Standard refers to:

  • Logical data recovery: addresses issues such as file corruption, formatting, and accidental deletion.
  • Physical data recovery: involves repairing hardware issues such as damaged drives or broken components.
  • Remote data recovery: the process of recovering data from a location and device remotely.

Minimum capability maturity level

We have established criteria within a maturity model to provide clarity, including the expected minimum implementation level, which is CS-CMM 2.

Cyber Security Capability Maturity Model

The requirements are intended to meet and comply with each respective level of maturity. The levels provide a pathway that can be used by agencies to assess themselves against, with a view to improving maturity over time.

Each maturity level builds on the requirement from the preceding level.

Below are the requirements for each capability maturity level for this Standard.

  • CMM 4 Quantitively Controlled
    • Organisations have identified, regularly review, and update their data recovery requirements.
    • Data recovery testing or auditing is undertaken on a regular basis, the results are communicated to management or applicable data owners, and any necessary remediations are undertaken accordingly.
    • Roles and responsibilities for carrying out recovery activities are mapped to individual roles and tested during disaster recovery plan/business continuity plan (DRP/BCP) testing.
    • Investment and/or funding to support data backup and recovery solutions is incorporated into business-as-usual.
  • CMM 3 Standardised
    • Organisations have identified their data recovery requirements.
    • Data recovery testing and auditing is undertaken routinely, and the results are communicated to management and applicable data owners.
    • Backups are taken of all systems, in line with data recovery requirements.
    • Roles and responsibilities for carrying out recovery activities are mapped to individual roles.
  • CMM 2 Planned and Tracked
    • Organisations have identified their data recovery requirements for critical systems.
    • Data recovery testing is undertaken at pre-defined levels.
    • Backups of critical systems are taken.
    • Organisations have in place relevant documentation to support data recovery.
    • Roles and responsibilities for carrying out recovery activities are defined but may be team-based.
  • CMM 1 Informal
    • No data recovery or backup requirements or procedures are in place.
    • Backups and data recovery testing is not generally undertaken.
    • Backups are taken based on individual discretion and on an ad-hoc basis.
    • Reliance is placed solely on high availability and does not include disaster recovery.

Focus areas

Focus areas are applicable to the Standard and are provided as a guide and not an exhaustive list. Each agency is best placed to identify areas of relevance.

The focus areas for this Standard are:

  • Cloud services
  • Remote access
  • Business continuity/disaster recovery
  • Third party/vendor systems (such as SaaS environments).

Suggested actions

The following list is not exhaustive. Organisations should identify which actions are appropriate to implement the Standard based on their current maturity level. However, the following actions follow good practice guidelines:

  • Organisations undertake an asset classification exercise to identify their business-critical and sensitive systems. This could be incorporated into a business impact analysis assessment.
  • Data retention requirements are identified and agreed on.
  • Recovery point and recovery time objectives are defined.
  • Organisations assess and choose data recovery methods appropriate for their situation.
  • A data recovery policy is developed.
  • Staff training is developed and delivered.
  • Data recovery procedures are tested based on likely scenarios including loss of location/sites.

Key dependencies

To implement this Standard, there are likely to be requisite measures or technologies in place.

A number of dependencies apply to multiple standards. In general, these dependencies are less technology-specific and relate to business processes.

Key dependencies for this Standard include:

  • An up-to-date understanding of critical business and public-facing systems and roles.
  • Executive management buy-in and commitment to business continuity and disaster recovery.
  • Data backup and recovery requirements based on a business continuity objective, including:
    • budget and cost
    • resourcing requirements
    • backup schedule
    • recovery time
    • security backup requirements and the resilience of the overall recovery solution are defined.
  • The procurement process provides appropriate assurance that vendors are aware of an organisation’s data recovery requirements and can meet them.

Measurable outcomes

To establish whether the Standard is being implemented, the outcomes are a tool an organisation may wish (or already have in place) to measure to help make this determination.

The outcomes have been designed to align with the requirements contained in the maturity level.

Outcomes for this Standard include:

  • A data recovery policy is in place, including the date of approval.
  • Defined recovery point and recovery time objectives (RPO/RTO).
  • Approved training plans.
  • Data recovery plan is in place.
  • Data recovery audits are regularly undertaken.
  • Periodic testing and auditing of recovery plans (incorporating both simulated and real-world recovery).
  • Roles and responsibilities for the different types of recovery have been defined.
  • Data recovery procedures are in place and regularly tested.
  • Evidence of investment to support organisational data recovery requirements.  
Applicable NZISM controls

The NZISM controls listed below provide additional detail to assist with the implementation of this Standard and meeting New Zealand Government compliance requirements.

  • Control reference - 3.4.10.C.01.

    Each system MUST have a system owner who is responsible for the operation and maintenance of the system.

    CID: 442

  • Control reference - 6.4.5.C.01.

    Agencies MUST determine availability and recovery requirements for their systems and implement measures consistent with the agency's SRMP to support them.

    CID: 1120

  • Control reference - 6.4.6.C.01.

    Agencies SHOULD:

    • identify vital records,
    • backup all vital records,
    • store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest classification of the information, and
    • test backup and restoration processes regularly to confirm their effectiveness.

    CID: 1123

  • Control reference - 6.4.7.C.01.

    Agencies SHOULD develop and document a business continuity plan.

    CID: 1126

  • Control reference - 6.4.8.C.01.

    Agencies SHOULD develop and document a disaster recovery plan.

    CID: 1129

Topics

Governance Cloud Data recovery
Top