SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Documenting RTO and RPO

Guest

Documenting RTO and RPO

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Dec 10, 2016 Last commented:   Dec 10, 2016

Documenting RTO and RPO

ISO 27001 & 22301
When documenting RTO and RPO for mission critical processes, should both be reported in a band? i.e 0 - 4 Hrs, or should it be reported as 4 hrs. What are the implications for both.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Dec 10, 2016

Answer: Considering ISO 22301:2012, the mandatory requirement is that there are defined recovery objectives. How they are defined is an organization's decision, so you can use a single value or a ranged one.

Using single values to RTO and RPO makes easier to communicate to people the organization's general expected results. Using a range of values makes more sense when the organization wants to monitor specific situations in the recovering progress, so it can evaluate if the general results can be achieved until the maximum value defined, and make proper adjustment decisions.

For example, you can adopt a single RTO of 8h, meaning your recovery objectives from "A to G" must be achieved in 8h, or you can adopt a RTO range from 4 to 8, considering that at 4h you should recover objectives A-B-C, at 6h you should recover objectives D-E-F, and at 8h you should recove r objective G. In both cases you have to recover objectives A to G in 8 hours, but by using a ranged value you can have more control over the recovering process. Of course the trade off is that your recovering plan will get more complex.

One thing you also should note is that only RTO is measured in time. The RPO is measured in terms of system state (e.g., the RPO will be the system's situation 4 hours before the incident, which not implies the system will be recovered in 4 hours).

This article will provide you further explanation about RTO and RPO:
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

These materials will also help you regarding RTO and RPO:
- Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/blog/2013/12/16/new-book-becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Free online webinar ISO 22301: An overview of the BCM implementation process https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 09, 2016

Dec 09, 2016

Suggested Topics
Guest user Created:   Oct 09, 2018 ISO 27001 & 22301
Replies: 1
0 0

Documenting BCP plans
Rooh ullah Created:   Jan 14, 2024 ISO 27001 & 22301
Replies: 1
0 0

Business continuity plan, RTO and MTPD
Guest user Created:   Dec 14, 2023 ISO 27001 & 22301
Replies: 1
1 0

RTO in the BIA questionnaire