You are one of the business continuity team members and sitting in a meeting conducting business impact analysis. Critical or prioritized activities that support the delivery of products and services are identified and under discussion. Which of the following metrics is most likely not defined for each activity?
A. The time within which the impacts of not resuming activities would become unacceptable
B. The time frames for resuming activities at specified minimum acceptable capacities
C. The minimum business continuity objective (MBCO) or service delivery objective (SDO)
D. The point up to which information and data used by an activity is appropriately current

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. The point up to which information and data used by an activity is appropriately current.

Recovery Point Objective (RPO) is the point up to which information and data used by an activity is appropriately current. Not every activity or resource is data-centric; for example, the lack of raw materials doesn’t need to restore data from tapes to recover the business.

Business impact analysis (BIA) is a crucial process of business continuity management. It analyzes the impact of disruption upon the delivery of products and services supported by critical and supporting activities and other resources. Both the lack of raw materials or glitches of the information system can disrupt the delivery of products and services. However, not every activity or resource is data-centric; for example, the lack of raw materials doesn’t need to restore data from tapes to recover the business. As a result, the Recovery Point Objective (RPO) is not mandatory and may not be defined for each activity.

• MTD: The time within which the impacts of not resuming activities would become unacceptable
• RTO: The time frames for resuming activities at specified minimum acceptable capacities
• MBCO/SDO: The minimum business continuity objective (MBCO) or service delivery objective (SDO)
• RPO: The point up to which information and data used by an activity is appropriately current

Business Continuity

Business continuity is the “capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.” (ISO 22301:2019)

Business Impact Analysis

Business impact analysis is the “process of analyzing the impact over time of a disruption on the organization. The outcome is a statement and justification of business continuity requirements.” (ISO 22301:2019)

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您是業務持續計晝的團隊的成員之一，正在參加業務衝擊分析(BIA)的會議。 會議中識別並討論了支持產品和服務交付的關鍵(critical)或優先(prioritized)活動。 對於每個活動，以下哪個指標最有可能未定義？
A. 未恢復活動的影響變得無法接受的時間
B. 恢復活動至最低可接受量能所需的時間
C. 最低業務連續性目標（MBCO）或服務交付目標（SDO）
D. 一項活動所使用的資訊和數據的適當時點