cism-d4-incident-management-incident-eradication-recovery-and-review

Incident Eradication, Recovery, and Review

isaca-cism · framework · Gold standard

Drawn fromCISM Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Incident Eradication, Recovery, and Review

Incident Eradication, Recovery, and Review is the structured three-phase process that follows incident containment in the ISACA CISM Incident Management lifecycle. Eradication is the verified removal of all root causes, attacker footholds, malicious artifacts, and exploited vulnerabilities — not merely symptoms — from every affected system. Recovery restores affected systems and services to a validated, secure operational state using verified clean sources (integrity-confirmed backups, hardened images). Post-Incident Review is the structured organizational debrief that produces a formal record of timeline, root cause analysis, contributing factors, and accountable remediation actions to prevent recurrence. Together, the three phases close the incident lifecycle and drive continuous improvement of the security program.

Where it stops · what it isn't

—IS: Verified removal of root causes — exploited vulnerabilities, attacker-created accounts, backdoors, malware — with documented sign-off. Not simply stopping visible symptoms or isolating affected systems.
—IS: Restoring systems from verified clean backups or hardened images with functional validation before returning to production. Not merely rebooting or restarting compromised systems.
—IS: A formal structured review meeting with documented root cause analysis, contributing factors, recommendations, assigned owners, and deadlines. Not an informal debrief or verbal conversation.
—IS NOT: Containment — isolating systems to stop damage is the preceding phase (Incident Investigation, Evaluation, Containment, and Communication) and must be complete before eradication begins.
—IS NOT: Proactive threat hunting or vulnerability scanning unrelated to an active or recently closed incident. This competency is reactive and incident-triggered.
—IS NOT: Disaster Recovery (DR) planning or Business Continuity Planning (BCP). Those are separate disciplines; this cubelet addresses incident-specific recovery validation, not broad DR strategy.
—IS NOT: Deep forensic investigation methodology. Evidence preservation is required, but forensic analysis is a specialized discipline requiring legal counsel coordination.
—TERMINOLOGY NOTE: ISACA CISM distinguishes 'Eradication' and 'Recovery' as separate, sequential phases. Some frameworks (NIST SP 800-61, SANS) use 'Recovery' to encompass both. Use CISM terminology within this domain.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Incident Investigation, Evaluation, Containment, and CommunicationEvidence Preservation and Chain of Custody

PART OF

CISM Domain 4: Incident Management

ENABLES

Security Program Continuous ImprovementRegulatory Compliance Demonstration (SOC 2, HIPAA, GDPR, PCI-DSS, SEC)Post-Incident Metrics Tracking (MTTR, Recurrence Rate, Recommendation Completion Rate)

RELATED TO

Business Continuity and Disaster Recovery Planning

CONSTRAINS

Return to Normal Operations

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.