1. Can I seek your advise on the how much is the RTO usually set for a company offering SaaS based solutions? Does the ISO 22301 define any times? I understand that it depends on various org-specific factors, but want to get a idea on industry best practices.
2. We also had the below queries relating to BYOD, in case we want to implement a BYOD policy:
Should the organisation ensure an anti-malware / anti-virus solution has been installed on all personal devices?
3. What are the minimum device management controls that the org should have control over?
I understand that these are not specifically defined in the ISO 27001 standard, and therefore need your advise on what controls are considered bare minimum, and as per industry best practices, to help us pass the certification.