GV.OC-04.009
Has your organization established and communicated resilience objectives (such as recovery time objectives) for critical capabilities and services across different operating states?
Explanation
Resilience objectives define how quickly critical systems and services should be restored after disruption. These objectives should cover various operating states including normal operations, under attack scenarios, and recovery phases. For example, a resilience objective might specify that customer-facing payment systems must be restored within 4 hours of disruption, while internal email systems can tolerate a 24-hour recovery window. Evidence of fulfillment could include a documented Business Continuity Plan or Disaster Recovery Plan that clearly defines recovery time objectives (RTOs) and recovery point objectives (RPOs) for each critical system, along with communication records showing these objectives have been shared with relevant stakeholders.
Implementation Example
Establish and communicate resilience objectives (e.g., recovery time objectives) for delivering critical capabilities and services in various operating states (e.g., under attack, during recovery, normal operation)
ID: GV.OC-04.009
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
