When we determine the RTO for a business process, should we do it with the assumption of the critical periods or no? For example. payroll processing is not critical during the month, but only on the first day of the month when we do impact assessment, should we suppose the disaster will happen 1st of month?
When customizing BIA questionnaire for a bank.. what time frames (I mean 0-4 hrs / 8 - 12, etc) should I use?
Answer:
From my point of view, the best is to establish the RTO according the critical day (1st of month), on this way you will have a demanding RTO the rest of the month, but it not should be a problem for the organization. Another option from my point of view, is to have 2 RTO, one for the 1st and other for the rest of the month.
Regarding the customization of the BIA questionnaire, the time frames depend on each business, so in some cases it can be also in minutes: 1-15m, 15-30m, etc.
This article about the BIA can be interesting for you How to implement business impact analysis (BIA) according to ISO 22301 : ht tp://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
Comment as guest or Sign in
Jan 13, 2016