Working out the RTO and RPO
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Answer:
In your scenario, the RTO refers to the time required to resume an application operation, while the RPO refers to the acceptable data loss on a database.
Considering that, you can establish a single pair of RTO and RPO for the most critical applications and databases in your BIA, and from those you can derive other RTO's and RPO's for specific application and database when needed. For example you can set a RTO of 4h for an application and a RPO of 1 day for a database from your most critical activities, but you can identify that for other activities you can define a RTO of 1 day for applications and a RPO of 5 days for databases. This way you can optimize your resources, allocating them where they are more needed to recover from a disruptive event.
This article will provide you further explanation about RPO and RTO:
- What is the dif ference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
This material will also help you regarding RPO and RTO:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
Comment as guest or Sign in
Feb 02, 2019