Can the RTO be more than the MAO?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Considering ISO 22300 vocabulary (which can be found here: https://www.iso.org/obp/ui/#iso:std:iso:22300:ed-2:v1:en)
- MAO: maximum acceptable outage, the time it would take for adverse impact to become unacceptable
- RTO: recovery time objective, the period of time following a disruptive event within which operation is resumed, or resources are recovered.
Considering these definitions, the RTO value only makes sense if it is smaller than MAO, so RTO cannot be greater than MAO.
In fact, there is a note for RTO in the standard defining this relation: the recovery time objective is less than the time it would take for the adverse impacts to become unacceptable.
For further information about RTO, see:
- What is the difference between the Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
Comment as guest or Sign in
Feb 13, 2020