Recovery
The recovery phase focuses on restoring affected systems, data, and services in a secure, controlled way back to normal operation. It ensures systems are clean, properly configured, and monitored before returning to use.
Recovery also involves validating that vulnerabilities have been closed and confirming system integrity before resuming educational or administrative functions.
Do not rush system reintroduction. Instead, prioritise confidence in system integrity over speed. If your IT support is external, ask for written assurance that systems are safe to resume operation.
The SLT digital lead should review restoration priorities to match the school’s operations and learning continuity needs.
Objectives
Recovery aims to:
- restore systems from clean backups, or rebuild them securely
- confirm that systems are fully operational and uncompromised
- reintroduce services in a staged and controlled manner
- monitor for signs of re-infection or ongoing attack
- communicate service restoration to staff and stakeholders appropriately
Generic recovery actions
1. System restoration
- rebuild affected systems from known good images, or reinstall the operating system where feasible
- restore essential data from secure, validated backups
- ensure restored systems are fully patched and up to date, referring to the DfE Cyber Security Standards
2. Integrity verification
- conduct full system scans using AV/EDR tools post-restoration
- validate key files, configurations, and applications are untampered
- use checksums or file integrity monitoring where available
3. Credential reset and access control review
- require password changes for affected users, if you haven’t already
- enforce MFA where supported, especially for admin or email accounts that have access to sensitive information such as financial or personal data
- review and adjust user permissions if accounts were escalated or misused
- refer to the DfE Cyber Security Standards guidance on controlling and securing user accounts and access privileges
4. Controlled reintroduction of services
- bring systems back online in phases, not all at once
- prioritise essential educational or administrative services
- continue containment restrictions during phased return if needed such as outbound web traffic blocking and firewall rules
5. Testing and user validation
- perform basic system functionality checks
- ask key users to verify data accuracy and operational stability
- if appropriate, run "smoke tests" on critical systems, which are preliminary verifications of critical system functions such as disaster or system failure to ensure the system can be brought back up and operating at a minimum level
6. Monitoring for reinfection or anomalies
Liaise with IT support to investigate the possibility of increasing monitoring, such as:
- increasing system and network monitoring during and after recovery
- tracking user activity logs, unusual access patterns, and performance anomalies
- maintaining heightened alerting for a defined post-recovery period, for example 7 to 14 days
7. Communicate service status
- inform staff and stakeholders which systems have been restored
- provide guidance on safe system use and any new procedures
- flag systems still under restoration or additional steps being taken
Record keeping
- record all recovery activities with timestamps and responsible individuals
- include notes on which systems were rebuilt, restored, or retained
- log any user or stakeholder communications
- file this documentation for future audit or lessons learned review