Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Declaring a Disaster

  Quote
Guest
Guest post Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Declaring a Disaster

Currently we have a stated time to: a) assess an incident and declare a disaster (12 hours) b) activate Recovery Plans to re-instate customer systems (8 hours) However, looking at this from a customer perspective, they could argue that this adds up to an RTO of 12+8 = 20 hours. Can anyone offer advice on how to document (contractually) and manage customer expectations? Of course, we are putting the microscope on how we can improve the time for a)
0 0

Assign topic to the user

ISO 27001 INTERNAL AUDITOR COURSE

Everything you need to perform the internal audit for the first time.

ISO 27001 INTERNAL AUDITOR COURSE

Everything you need to perform the internal audit for the first time.

Guest
AntonioS Jan 13, 2016
From my point of view, the best place to establish these clauses is the Service Level Agreement, and I would specify clearly that the RTO is 20 hours (and I would also include the RPO).

You can also include in the Service Level Agreement the "Response Time", which is the time from you receive an incident until you reply it (it is related only with the response, not with the resolution of the incident).

And to set the customers expectations, you have to perform the Business impact analysis to calculate the RTO - based on that RTO all the other response times need to be calculated.
Finally, this article about the Business impact analysis can be interesting for you "How to implement business impact analysis (BIA) according to ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016