Feature: RTO RPO MTD on asset level

The new ISO 27001 2022 expects that RTO RPO MTD is documented more granular and by that on asset level. What would be the best way to do this in eramba currently? Right now it is on process level only, how you are doing it currently?

can you quote the standard please?

Would adding custom fields for these values on the Asset module do what you’re looking for? In theory you can then pipe those out from related modules when doing other reporting via the filters, though, there’s not a direct way to associate an asset to a process to enable that as a comparison.

I suppose the other thought would be adding the RTO/RPO/etc as a control as that might be better for associations, but still handle actual values at the asset level?

yes…but rto, mto, etc in business risk take these values automatically and show you the higher or lower depending the case. wouldnt be pretty if we could javacript on top of eramba fields forms? @jsolerolmos

but i’m curious about this one because ISO is never prescriptive … i’ll buy the standard today and have a look at it as well.

Just fyi. I very roughly read through the corresponding ISO control 5.30 ICT readiness for business continuity. In my opinion it still makes sense to set the rto/rpo on process level according to the business impact analysis. But in the end you need to have kind of propagation from the processes to the IT services and IT systems.
In our environment we will have this propagation in the cmdb (at least from services down to systems and at least in theory…).

c) ICT continuity plans include the following ICT continuity information:

  1. performance and capacity specifications to meet the business continuity requirements and
    objectives as specified in the BIA;
  2. RTO of each prioritized ICT service and the procedures for restoring those components;
  3. RPO of the prioritized ICT resources defined as information and the procedures for restoring
    the information

these are basiclly business risks and the procedures are policies linked to them. the process field in eramba does not have an RPO value perhaps this can be included.

github: https://github.com/eramba/eramba/issues/3776