Tag: "ISO 22301" - Expert Advice Community

Home / ISO 22301

Discussions

Top Contributors

Expert

Rhand Leal

4148
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Certification ISO 14001
Category:
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Understanding the core concepts of RPO & RTO - ISO 22301

    Hi, I am new to the this community and a newbie in the field of information Security. ISO 22301 - BCMS has captured my focus as a starting point.
    I've been reading about RTO and RPO and has quite an understading about these concepts now. At least enought to ask some stupid question. Please don't mind if my question does not make sense as I am still absorbing.

    I have read an example about how Business Processes have their own set of  Business-RTO(BRTO) and Business-RPO(BRPO) based on their crticality, and these values are set by their respective Business Owners. Further, these processes are dependant on the supporting infrastucture, such as application assets, vendors, locations, and other resources.

    Additionally, applications that supports processes have their own set of Application-RTO(ARTO) and Application-RPO(ARPO) set by their respective application owners. Also, there needs to be a roll-up RTO and RPO for applications as an application may tagged to multiple processes and it must be aligned with the minimum of all the tagged processes BRTO and BRPO values. Based on the comparison of the roll-up value and the owner assigned value, we can identify a gap for an application.

    Now, my question is that a process can be directly depandant on the RTO of an application because to run that process, the application must be up and running. However, it's not the same for the application RPO. RPO depends on the backup rate of the database and if still an application is down but we have not lost any data or much data (under RPO values), we can still interact with that data through other means/alternatives, correct? I think my concept about RPO is not clear and how it is related to application. I need a more experinced view on this. 

    Thanks in advance.

  • BIA: longest disruption time in BIA questionnaire

    Greetings!

    The BIA questionnaire in 22301 Document Toolkit lists disruption periods of 2 hours, 4 hours, 24 hours, 48 hours and 1 week. There are some processes that are, although fundamental in company's operation, prone by their nature to prolonged periods of disruption. And although disruption of those for one week has been valued as 3 (high impact) by the top management, the impact still wouldn't be catastrophic.

    The question I have is: do I need to tweak the questionnaire to include longer periods of disruption, like 1 month, so that we actually define at what point the consequences are considered to become catastrophic for the company, of we can leave them be, because they are still valued as 3, so non-acceptable by nature, so it doesn't really matter whether it's 3 or 4, the Business Continuity Strategy wouldn't change from that?

  • Can ISO 27001 and ISO 22301 be used together in a document?

    In the document when we were reading through it, it said we can use it for either/or like either ISMS or BCMS. So my question is is it possible to use it for both and put the word AND between ISMS and business continuity management system?

  • Questions about documents

    First question: I was wondering if Privacy Policy document is included with the ISO 27001/22301….or if it is only included with the EU GDPR. If only included with GDPR, can I use that privacy policy for all our ISMS/BCMS needs as well?