Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

RTO and RPO definition for critical systems

  Quote
Guest
Guest user Created:   Mar 22, 2018 Last commented:   Mar 22, 2018

RTO and RPO definition for critical systems

1 - Who sets the RTO AND RPO for critical systems? It is confusing.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 22, 2018

Answer: The definition of RTO and RPO for critical systems is generally done by the person responsible for the application (e.g. by the HR Department Head for a HR system, by the Financial Department Head for an accounting system, etc.), considering the inputs of interested parties impacted by a disruption on application operation (e.g., IT staff, organization's users, customers, regulators, etc.), but these must be approved by top management.

2 - Can the RTO and RPO be the same for a system? Which does the business provide? RTO or RPO?

Answer: RTO and RPO are completely different concepts, so they can be the same for a system. The RTO refers to a recovery time to be achieved, while the RPO refers to a point in time on which the system must be recovered with stability (any information in the period shorter than that will be lost or not considered).

For example, if an application has an RTO of 1 day and a RPO of 4 hours, it means that this application can be recovered ( resume normal operation) in one day, but the information from the last 4 hours before the interruption occurred will be lost.

As for which one is provided by the business, in fact both are provided by them. Most often business people thinks in terms of RTO (when the business must be resumed after a disruption), but from the general information they provide during a Business Impact Analysis (BIA) you also can identify the RPO.
These materials will provide you further explanation about RTO, RPO and BIA :
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
- Implementing Business Impact Analysis according to ISO 22301 [free webi nar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 22, 2018

Mar 22, 2018