Hi, I am new to the this community and a newbie in the field of information Security. ISO 22301 - BCMS has captured my focus as a starting point.
I've been reading about RTO and RPO and has quite an understading about these concepts now. At least enought to ask some stupid question. Please don't mind if my question does not make sense as I am still absorbing.
I have read an example about how Business Processes have their own set of Business-RTO(BRTO) and Business-RPO(BRPO) based on their crticality, and these values are set by their respective Business Owners. Further, these processes are dependant on the supporting infrastucture, such as application assets, vendors, locations, and other resources.
Additionally, applications that supports processes have their own set of Application-RTO(ARTO) and Application-RPO(ARPO) set by their respective application owners. Also, there needs to be a roll-up RTO and RPO for applications as an application may tagged to multiple processes and it must be aligned with the minimum of all the tagged processes BRTO and BRPO values. Based on the comparison of the roll-up value and the owner assigned value, we can identify a gap for an application.
Now, my question is that a process can be directly depandant on the RTO of an application because to run that process, the application must be up and running. However, it's not the same for the application RPO. RPO depends on the backup rate of the database and if still an application is down but we have not lost any data or much data (under RPO values), we can still interact with that data through other means/alternatives, correct? I think my concept about RPO is not clear and how it is related to application. I need a more experinced view on this.
Thanks in advance.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
In case the use of these “other means/alternatives” to access the data does not represent a risk of corrupting the data, so it may become useless for use by the main application, this could be an alternative to have a recovery of the process. For example, if you have a database of requests available but not the application, and in case you can process these requests manually, then you can use a manual operation to resume the processes and later update the data when the application is resumed.
Please note that such an alternative may not work on complex applications or applications that handle a large volume of data. In such cases, and if the time you can save is small, may be better to wait for the recovery of the main application.
Thanks for replying!
I understand that Business RPO(BRPO) is the maximum amount of data loss in time a process can afford to lose in case of a disruption. However, can you help me understad the Application RPO(ARPO)? I think that's what I am not able to relate to.
Also, in my above query I talked about roll-up RTO and RPO values for applications, which are based on the minimum BRTO and BRPO values of the processes tagged to these applications as per best practises. It make sense to rollup RTO values to a minimum value in order for that application to support all the processes tagged to it. Also, RTO gap analysis make sense here.
Nevertheless, does it make sense to roll-up RPO values for application and identifying a gap based on that?"
1. I understand that Business RPO(BRPO) is the maximum amount of data loss in time a process can afford to lose in case of a disruption. However, can you help me understad the Application RPO(ARPO)? I think that's what I am not able to relate to.
Please note that in business continuity according to ISO 22301, there are no such terms as BRPO and ARPO, only RPO, because the return objectives focus on the activities, not on the assets.
Considering that, once the RPO is defined for an activity, it should be considered for all assets related to that activity, so the Application RPO (i.e., the maximum data loss for that application) would be exactly the RPO defined for the activity.
2. Also, in my above query I talked about roll-up RTO and RPO values for applications, which are based on the minimum BRTO and BRPO values of the processes tagged to these applications as per best practises. It make sense to rollup RTO values to a minimum value in order for that application to support all the processes tagged to it. Also, RTO gap analysis make sense here.
Nevertheless, does it make sense to roll-up RPO values for application and identifying a gap based on that?
It does not make sense to think of different RTO and RPO for assets different from those defined for the activity.
For example, if you define RTO and RPO for assets larger than those defined for the activity, you won’t be able to recover the activity on defined objectives.
On the other hand, if you define RTO and RPO for assets smaller than those defined for the activity, you will be allocating more resources than needed to achieve the activity-defined objectives, and this would be inefficient.
Comment as guest or Sign in
Dec 18, 2023