Tag: "ISO 22301" - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Understanding the core concepts of RPO & RTO - ISO 22301

    Hi, I am new to the this community and a newbie in the field of information Security. ISO 22301 - BCMS has captured my focus as a starting point.
    I've been reading about RTO and RPO and has quite an understading about these concepts now. At least enought to ask some stupid question. Please don't mind if my question does not make sense as I am still absorbing.

    I have read an example about how Business Processes have their own set of  Business-RTO(BRTO) and Business-RPO(BRPO) based on their crticality, and these values are set by their respective Business Owners. Further, these processes are dependant on the supporting infrastucture, such as application assets, vendors, locations, and other resources.

    Additionally, applications that supports processes have their own set of Application-RTO(ARTO) and Application-RPO(ARPO) set by their respective application owners. Also, there needs to be a roll-up RTO and RPO for applications as an application may tagged to multiple processes and it must be aligned with the minimum of all the tagged processes BRTO and BRPO values. Based on the comparison of the roll-up value and the owner assigned value, we can identify a gap for an application.

    Now, my question is that a process can be directly depandant on the RTO of an application because to run that process, the application must be up and running. However, it's not the same for the application RPO. RPO depends on the backup rate of the database and if still an application is down but we have not lost any data or much data (under RPO values), we can still interact with that data through other means/alternatives, correct? I think my concept about RPO is not clear and how it is related to application. I need a more experinced view on this. 

    Thanks in advance.

  • BIA: longest disruption time in BIA questionnaire


    The BIA questionnaire in 22301 Document Toolkit lists disruption periods of 2 hours, 4 hours, 24 hours, 48 hours and 1 week. There are some processes that are, although fundamental in company's operation, prone by their nature to prolonged periods of disruption. And although disruption of those for one week has been valued as 3 (high impact) by the top management, the impact still wouldn't be catastrophic.

    The question I have is: do I need to tweak the questionnaire to include longer periods of disruption, like 1 month, so that we actually define at what point the consequences are considered to become catastrophic for the company, of we can leave them be, because they are still valued as 3, so non-acceptable by nature, so it doesn't really matter whether it's 3 or 4, the Business Continuity Strategy wouldn't change from that?

  • Can ISO 27001 and ISO 22301 be used together in a document?

    In the document when we were reading through it, it said we can use it for either/or like either ISMS or BCMS. So my question is is it possible to use it for both and put the word AND between ISMS and business continuity management system?

  • Questions about documents

    First question: I was wondering if Privacy Policy document is included with the ISO 27001/22301….or if it is only included with the EU GDPR. If only included with GDPR, can I use that privacy policy for all our ISMS/BCMS needs as well?