Domain 1 of 8 · Chapter 7 of 12

Business Continuity Requirements

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • What the BIA is and why it runs first
  • The four metrics: MTD, RTO, WRT, RPO
  • External dependencies and cost-balancing
  • Exam-pattern recognition

Continuity requirement metrics: who sets them and what they bound

MetricWhat it boundsSet by / fromMeasuredDrives
MTD (Maximum Tolerable Downtime)Total acceptable outage before unacceptable harmProcess owner / leadership, from BIA impactForward from the disruptionThe ceiling RTO and WRT must fit inside
RTO (Recovery Time Objective)Max time a resource may be unavailableDerived to stay under MTDForward from the disruptionTechnology/recovery-solution choice (cost)
WRT (Work Recovery Time)Time to reprocess/catch up after system is backDerived; MTD = RTO + WRTForward, after RTO endsWhy RTO must be shorter than MTD
RPO (Recovery Point Objective)Max tolerable data lossDerived from data criticalityBackward to last good backupBackup frequency / replication need

Cheat sheet

  • The BIA is the first step of continuity planning, before any recovery choice
  • The BIA has three ordered steps: criticality, resources, then priorities
  • MTD is a business tolerance set by leadership, not an IT number
  • RTO is the maximum time a resource may be unavailable, derived to stay under MTD
  • RPO is the maximum tolerable data loss, measured backward to the last good backup
  • RTO measures time-to-restore; RPO measures data loss. Never swap them
  • MTD = RTO + WRT, so RTO must be shorter than the MTD
  • Work Recovery Time is the catch-up phase after the system is back
  • The BIA must map external dependencies, not just internal components
  • An external continuity dependency becomes an SLA requirement
  • Shorter RTOs cost disproportionately more, so balance recovery cost against downtime cost
  • Conduct the BIA in the Initiation phase and revisit it as the system changes
  • FIPS 199 impact level feeds BIA recovery priority
  • COOP Mission Essential Functions carry a hard 12-hour MTD
  • BIA outputs are requirements; recovery strategy and DR testing are downstream

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems Whitepaper
  2. FIPS 199: Standards for Security Categorization of Federal Information and Information Systems Whitepaper