Expert Advice Community

Understanding the core concepts of RPO & RTO - ISO 22301

  Quote
Garry Created:   Dec 10, 2023 Last commented:   Dec 18, 2023

Understanding the core concepts of RPO & RTO - ISO 22301

Hi, I am new to the this community and a newbie in the field of information Security. ISO 22301 - BCMS has captured my focus as a starting point.
I've been reading about RTO and RPO and has quite an understading about these concepts now. At least enought to ask some stupid question. Please don't mind if my question does not make sense as I am still absorbing.

I have read an example about how Business Processes have their own set of  Business-RTO(BRTO) and Business-RPO(BRPO) based on their crticality, and these values are set by their respective Business Owners. Further, these processes are dependant on the supporting infrastucture, such as application assets, vendors, locations, and other resources.

Additionally, applications that supports processes have their own set of Application-RTO(ARTO) and Application-RPO(ARPO) set by their respective application owners. Also, there needs to be a roll-up RTO and RPO for applications as an application may tagged to multiple processes and it must be aligned with the minimum of all the tagged processes BRTO and BRPO values. Based on the comparison of the roll-up value and the owner assigned value, we can identify a gap for an application.

Now, my question is that a process can be directly depandant on the RTO of an application because to run that process, the application must be up and running. However, it's not the same for the application RPO. RPO depends on the backup rate of the database and if still an application is down but we have not lost any data or much data (under RPO values), we can still interact with that data through other means/alternatives, correct? I think my concept about RPO is not clear and how it is related to application. I need a more experinced view on this. 

Thanks in advance.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 12, 2023

In case the use of these “other means/alternatives” to access the data does not represent a risk of corrupting the data, so it may become useless for use by the main application, this could be an alternative to have a recovery of the process. For example, if you have a database of requests available but not the application, and in case you can process these requests manually, then you can use a manual operation to resume the processes and later update the data when the application is resumed. 

Please note that such an alternative may not work on complex applications or applications that handle a large volume of data. In such cases, and if the time you can save is small, may be better to wait for the recovery of the main application.  

Quote
0 0
Guest
Guest user Dec 18, 2023

Thanks for replying!

I understand that Business RPO(BRPO) is the maximum amount of data loss in time a process can afford to lose in case of a disruption. However, can you help me understad the Application RPO(ARPO)? I think that's what I am not able to relate to.

Also, in my above query I talked about roll-up RTO and RPO values for applications, which are based on the minimum BRTO and BRPO values of the processes tagged to these applications as per best practises. It make sense to rollup RTO values to a minimum value in order for that application to support all the processes tagged to it. Also, RTO gap analysis make sense here.

Nevertheless, does it make sense to roll-up RPO values for application and identifying a gap based on that?"

Quote
0 0
Expert
Rhand Leal Dec 18, 2023

1. I understand that Business RPO(BRPO) is the maximum amount of data loss in time a process can afford to lose in case of a disruption. However, can you help me understad the Application RPO(ARPO)? I think that's what I am not able to relate to.

Please note that in business continuity according to ISO 22301, there are no such terms as BRPO and ARPO, only RPO, because the return objectives focus on the activities, not on the assets.

Considering that, once the RPO is defined for an activity, it should be considered for all assets related to that activity, so the Application RPO (i.e., the maximum data loss for that application) would be exactly the RPO defined for the activity.  

2. Also, in my above query I talked about roll-up RTO and RPO values for applications, which are based on the minimum BRTO and BRPO values of the processes tagged to these applications as per best practises. It make sense to rollup RTO values to a minimum value in order for that application to support all the processes tagged to it. Also, RTO gap analysis make sense here.

Nevertheless, does it make sense to roll-up RPO values for application and identifying a gap based on that?

It does not make sense to think of different RTO and RPO for assets different from those defined for the activity.

For example, if you define RTO and RPO for assets larger than those defined for the activity, you won’t be able to recover the activity on defined objectives.

On the other hand, if you define RTO and RPO for assets smaller than those defined for the activity, you will be allocating more resources than needed to achieve the activity-defined objectives, and this would be inefficient.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 10, 2023

Dec 18, 2023

Suggested Topics

Ash Created:   Jan 21, 2024 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Internal Audits

Guest user Created:   Dec 14, 2023 ISO 27001 & 22301
Replies: 1
0 0

RTO in the BIA questionnaire