We have some troubles regarding Backup and Disaster recovery rules for our outsourced services / applications.
We have around 200 different applications where the operations and backups are outsourced. We have divided our applications into 3 different criticality categories - where we have set requirements and collected answers for RPOs and RTOs for the applications with highest criticality level.
All assets are still in scope (even if they are not business critical) and we have some controls for risks covered by for example backup procedures.
Does that mean we have to collect RTOs and RPOs for all our assets? Or do you have any suggestions on how we can adjust in our policies to make it more simple for us?