ISMS Compliance
CyFun BasicRecover

RC.RP-1: Recovery plan execution

Recovery plan is executed during or after a cybersecurity incident

RECOVERRC.RP-1

Requirement

A recovery process for disasters and information/cybersecurity incidents shall be developed and executed as appropriate.

Guidance

A process should be developed to determine what immediate actions will be taken in the event of a fire, medical emergency, burglary, natural disaster, or an information/cybersecurity incident.

This process should consider:

  • Roles and Responsibilities, including who makes the decision to initiate recovery procedures and who will be the contact with appropriate external stakeholders
  • What to do with the company's information and information systems in case of an incident. This includes shutting down or locking computers, moving to a backup site, physically removing important documents, etc.
  • Who to call in the event of an incident

Our Implementation

We have documented a combined Disaster Recovery & Business Continuity Plan that defines recovery procedures for all critical systems.

Recovery objectives are defined for each system based on criticality:

  • Critical systems (Supabase, GitHub): RTO 1–4 hours, RPO 15 minutes or near-zero
  • High-criticality systems (Vercel, Azure OpenAI, Trigger.dev): RTO 1–4 hours
  • Medium-criticality systems (Modal, Turso, Qdrant, Upstash): RTO 2–8 hours

Cloud-native advantage: All infrastructure is cloud-hosted with no physical dependencies. Any team member can operate from any location, eliminating the need for physical disaster recovery procedures.

Recovery scenarios covered:

  1. Cloud provider outage — failover procedures and alternative hosting
  2. Data corruption/loss — restore from Supabase PITR and provider backups
  3. Account compromise — credential revocation, key rotation, audit review
  4. Physical disaster — no impact (cloud-native, remote team)
  5. Key person unavailability — all founders have admin access, shared password manager

Gaps

  • Database restoration validated on dev and production environments (Jan–Feb 2026). Full DR tabletop exercise planned (NEX-359)
  • No automated failover between providers — manual procedures only

Evidence

Partially ImplementedL2 — Repeatable

Cross-references

FrameworkControl
ISO 27001:2022A.5.29 — ICT readiness for business continuity, A.5.30 — ICT readiness
NIST CSFRC.RP-1
CIS Controls v8.117.4

Recover

Recovery planning and execution

On this page

RequirementGuidanceOur ImplementationGapsEvidenceCross-references