Activities, MAO and RTO

1/ How to includes all activities which support the provision of key products and services. 
2/ How to defines maximum tolerable periods of disruption (maximum acceptable outages) for each activity and sets recovery priorities accordingly. 
3/ How to defines the recovery time objective for each activity. 
 

Answers:

I suppose that you mean “how to define activities…”, if so, there are basically two options: a.- Determine your activities based on process, or b) Determine your activities based on organizational units. If you need more information, please read this article “How to define activities when implementing business continuity according to ISO 22301” : https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/
Regarding the Maximum Tolerable periods of disruption and the Recovery Time Objective, there are various ways to define them and set recovery priorities, but basically you need to analyze how the disruption of each activity affect to your busin ess, so you can make some questions like “How will your clients react to a disruption?”, “What will be the impact to other activities?”, etc. Here you can find more information “How to implement business impact analysis (BIA) according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ And this article can be also interesting for you “Five tips for Successful Business Impact Analysis” : https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/