Keep one copy offsite: The third principle of the 3-2-1 backup policy is to keep at least one

copy of your data offsite. This could be a physical copy stored in a secure location, or a cloud-
based copy stored in a different geographic region.

The 3-2-1 backup policy is designed to provide a high level of protection for an organization's
data, as it ensures that multiple copies of the data are available and stored in a variety of
different locations and media. This can help reduce the risk of data loss due to hardware
failure, natural disasters, or other types of disruptions.

RPO / RTO
RPO (recovery point objective) and RTO (recovery time objective) are two important concepts
in disaster recovery and business continuity planning. They are used to define the acceptable
level of data loss and downtime that an organization is willing to tolerate in the event of a
disruption or disaster.

RPO is the maximum amount of data that an organization is willing to lose in the event of a
disaster. It is typically measured in terms of time, and it represents the point in time up to
which data must be recovered in order to meet the organization's requirements. For example,
if an organization has an RPO of 4 hours, it means that it can tolerate losing up to 4 hours'
worth of data in the event of a disaster, as long as the data can be recovered from backups.

RTO, on the other hand, is the maximum amount of time that an organization is willing to wait
to resume normal operations after a disaster. It represents the amount of time that the
organization has to recover from a disaster and restore its critical systems and processes.

Both RPO and RTO are important considerations in disaster recovery and business continuity
planning, as they help organizations define their requirements for data recovery and system
availability. By setting clear RPO and RTO objectives, organizations can ensure that their
disaster recovery and business continuity plans are sufficient to meet their needs in the event
of a disaster.

ISO22301
ISO 22301 is an international standard for business continuity management (BCM) that
provides guidelines for organizations to plan, establish, implement, operate, monitor, review,

150
maintain, and continually improve a BCM system. One of the key components of a BCM
system is a disaster recovery plan (DRP), which is a detailed document that outlines the steps
that the organization will take to protect against, prepare for, respond to, and recover from
disruptive incidents. The ISO 22301 standard consists of a number of key components,
including:

• A business continuity policy: This is a high-level document that outlines the

organization's commitment to business continuity and sets out the principles and
objectives of the BCM system.
• A business continuity plan: This is a detailed document that outlines the steps that the
organization will take to protect against, prepare for, respond to, and recover from
disruptive incidents.
• Business continuity management processes: These are the processes that the
organization will follow to implement, operate, and maintain the BCM system. These
processes may include risk assessment, business impact analysis, recovery strategy
development, and testing and exercising.
• Business continuity management resources: These are the resources that the
organization will need to implement and maintain the BCM system, including
personnel, equipment, and facilities.

By implementing the ISO 22301 standard, organizations can improve their resilience and
ability to recover from disruptive incidents, such as natural disasters, cyber-attacks, or power
outages. This can help to protect against financial losses, reputational damage, and other
negative impacts on the organization.

151
DISCLAIMER

This Book has been written using ChatGPT AI capabilities, to provide information about
Enterprise Cyber Security.

However, there may be mistakes in typography or content. Also, this Book provides
information only up to the publishing date. Therefore, this Book should be used as a guide -
not as the ultimate source.

The purpose of this Book is to educate. The author and the publisher do not warrant that the
information contained in this book is fully complete and shall not be responsible for any errors
or omissions.

The author and publisher shall have neither liability nor responsibility to any person or entity
with respect to any loss or damage caused or alleged to be caused directly or indirectly by this
Book.

Copyright © 2022 - Cyzea.io

All rights to this book are reserved. No permission is given for any part of this book to be
reproduced, transmitted in any form, or means; electronic or mechanical, stored in a retrieval
system, photocopied, recorded, scanned, or otherwise. Any of these actions require the
proper written permission of the author.

152