BIA and RTO

1. How to determine RTO? It is clear for MTPD.

The RTO is defined after you cross-examine MTPD between different interdependent activities - in some cases, RTO will remain the same as MTDP, and in some cases (where the related activity requires a quicker recovery) it will be lower.

2. Who determines RTO? Department responsible for critical activities or Department responsible for resources supporting critical activities (IT, logistics, …)?

The RTO is related to business needs, so the responsible for the impacted activity must be the one to define the RTO, but is important that this person consults the responsible for supporting resources, to find the best balance between business needs and available resources (the smaller the ROT, the more resources you will need).

3. About your example during the webinar, if RTO of IT is 8 hours and RTO of one critical activity is 4 hours and this one depends on IT. So which RTO will be considered?

When considering the interdependency of activities, you always need to consider first the RTO related to the business activity. In the example, since the RTO of the critical activity is 4h, this one must be the RTO to be considered (in case you consider the RTO for IT, the critical activity will not be recovered in a proper time).

For more information, please read the following article:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/