ISC2 CSSLP Exam - Topic 2 Question 86 Discussion

The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must

be recovered as defined by the organization. The RPO is generally a definition of what an organization determines is an 'acceptable loss' in a

disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2

hours. Based on this RPO the data must be restored to within 2 hours of the disaster.

Answer B is incorrect. The Recovery Time Objective (RTO) is the duration of time and a service level within which a business process

must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity. It

includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the communication to the users. Decision time

for user representative is not included. The business continuity timeline usually runs parallel with an incident management timeline and may

start at the same, or different, points.

In accepted business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner of a

process (usually in conjunction with the Business Continuity planner). The RTOs are then presented to senior management for acceptance.

The RTO attaches to the business process and not the resources required to support the process.

Answer D is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on

recovery methodology the technology support team develops. This is the time frame the technology support takes to deliver the recovered

infrastructure to the business.

Answer C is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point

Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to Continuous Data Protection services.