Backup and DR plans - outsourced services
We have some troubles regarding Backup and Disaster recovery rules for our outsourced services / applications.
We have around 200 different applications where the operations and backups are outsourced. We have divided our applications into 3 different criticality categories - where we have set requirements and collected answers for RPOs and RTOs for the applications with highest criticality level.
All assets are still in scope (even if they are not business critical) and we have some controls for risks covered by for example backup procedures.
Does that mean we have to collect RTOs and RPOs for all our assets? Or do you have any suggestions on how we can adjust in our policies to make it more simple for us?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that RTOs are usually set at the department level, while RPOs are set at the application level.
Considering that you do not need to define a specific RTO for each application. They will inherit the RTO from the business departments they are related to.
Regarding the RPO, you can group them according to their criticality or other predefined criteria (e.g., belonging to the same department or process, having a similar RPO) and defining a single RPO for the whole group. Therefore, you will have a different RPO for each of your 3 categories of applications.
This would make your administration job easier. But you need to evaluate the impact of adopting general RTOs/RPOs considering the allocation of resources and fulfillment of legal requirements.
These articles will provide you with further explanation about RPO and RTO:
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
- Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/2021/01/18/explanation-of-most-common-business-continuity-terms/
Comment as guest or Sign in
Sep 06, 2022