Documenting RTO and RPO
Assign topic to the user
Answer: Considering ISO 22301:2012, the mandatory requirement is that there are defined recovery objectives. How they are defined is an organization's decision, so you can use a single value or a ranged one.
Using single values to RTO and RPO makes easier to communicate to people the organization's general expected results. Using a range of values makes more sense when the organization wants to monitor specific situations in the recovering progress, so it can evaluate if the general results can be achieved until the maximum value defined, and make proper adjustment decisions.
For example, you can adopt a single RTO of 8h, meaning your recovery objectives from "A to G" must be achieved in 8h, or you can adopt a RTO range from 4 to 8, considering that at 4h you should recover objectives A-B-C, at 6h you should recover objectives D-E-F, and at 8h you should recove r objective G. In both cases you have to recover objectives A to G in 8 hours, but by using a ranged value you can have more control over the recovering process. Of course the trade off is that your recovering plan will get more complex.
One thing you also should note is that only RTO is measured in time. The RPO is measured in terms of system state (e.g., the RPO will be the system's situation 4 hours before the incident, which not implies the system will be recovered in 4 hours).
This article will provide you further explanation about RTO and RPO:
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
These materials will also help you regarding RTO and RPO:
- Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/blog/2013/12/16/new-book-becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Free online webinar ISO 22301: An overview of the BCM implementation process https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/
Comment as guest or Sign in
Dec 09, 2016