--- title: "ISO 22301 FAQ: BCMS, BIA, MTPD, RTO and Audit Evidence" canonical_url: "https://www.sorena.io/artifacts/global/iso-22301/faq" source_url: "https://www.sorena.io/artifacts/global/iso-22301/faq/items/page/2" author: "Sorena AI" description: "Practical ISO 22301 FAQ for business continuity teams: BCMS scope, BIA, MTPD, RTO, RPO, strategies, exercises, audits, management review, and certification evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ISO 22301 FAQ" - "BCMS FAQ" - "business impact analysis ISO 22301" - "MTPD RTO RPO" - "ISO 22301 audit evidence" - "business continuity management system" - "ISO 22301" - "business continuity management" - "BCMS" - "business impact analysis" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ISO 22301 FAQ: BCMS, BIA, MTPD, RTO and Audit Evidence Practical ISO 22301 FAQ for business continuity teams: BCMS scope, BIA, MTPD, RTO, RPO, strategies, exercises, audits, management review, and certification evidence. *FAQ* *Global* *ISO 22301* ## ISO 22301 FAQ Clear answers to the ISO 22301 questions teams ask when building or maintaining a business continuity management system. Use this FAQ to connect BCMS scope, business impact analysis, recovery targets, continuity strategies, exercises, audit evidence, and management review. ISO 22301 is not just a business continuity plan template. It is a management-system standard for establishing, implementing, maintaining, and improving a BCMS that helps an organization continue delivery of products and services through disruption. ## Browse sub-FAQ modules ### [ISO 22301 Business Impact Analysis FAQ](/artifacts/global/iso-22301/faq/business-impact-analysis.md) Practical ISO 22301 BIA FAQ covering prioritized activities, impact criteria, MTPD, RTO, RPO, dependencies, resources, strategy handoff, evidence, and review triggers. - 5 items ### [ISO 22301 Certification Evidence FAQ](/artifacts/global/iso-22301/faq/certification-evidence.md) FAQ guidance on ISO 22301 certification evidence: BCMS scope, documented information, BIA, risk assessment, exercises, internal audit, management review, and corrective action. - 4 items ### [ISO 22301 Management Review FAQ](/artifacts/global/iso-22301/faq/management-review.md) What ISO 22301 management review should cover: inputs, outputs, decisions, evidence, improvement actions, and ownership for BCMS leadership reviews. - 4 items ### [ISO 22301 MTPD FAQ](/artifacts/global/iso-22301/faq/mtpd.md) How ISO 22301 teams should define MTPD in the business impact analysis, separate it from RTO and RPO, and keep recovery evidence current. - 4 items ### [ISO 22301 Recovery Strategies FAQ](/artifacts/global/iso-22301/faq/recovery-strategies.md) Practical ISO 22301 FAQ on selecting recovery strategies from BIA, risk assessment, prioritized activities, resource needs, exercises, and review evidence. - 4 items ### [ISO 22301 RPO FAQ: Recovery Point Objectives](/artifacts/global/iso-22301/faq/rpo.md) How to set, evidence, test, and review recovery point objectives in an ISO 22301 business continuity management system. - 4 items ### [ISO 22301 RTO FAQ: Recovery Time Objectives](/artifacts/global/iso-22301/faq/rto.md) Plain-language ISO 22301 guidance for setting recovery time objectives from BIA evidence, MTPD limits, resources, dependencies, exercises, and review triggers. - 5 items ### [ISO 22301 Testing Exercises FAQ](/artifacts/global/iso-22301/faq/testing-exercises.md) How ISO 22301 teams should plan, run, evidence, and improve business continuity exercises and tests. - 4 items Browse all indexed questions: [/artifacts/global/iso-22301/faq/items](/artifacts/global/iso-22301/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 14 of 34 items.* ### [When should recovery strategies be reviewed or changed?](/artifacts/global/iso-22301/faq/recovery-strategies.md#when-should-recovery-strategies-be-reviewed-or-changed) *Module: [ISO 22301 Recovery Strategies](/artifacts/global/iso-22301/faq/recovery-strategies.md)* Review strategies at planned intervals and after significant changes to the organization, context, prioritized activities, resource requirements, suppliers, sites, systems, legal obligations, customer commitments, or disruption risks. ISO 22301 also expects exercising and testing over time to validate business continuity strategies and solutions. - Trigger review when BIA assumptions, risk assessment results, supplier capabilities, technology architecture, staffing, facilities, or customer obligations change. - Use exercises, tests, post-incident reports, audits, and performance evaluations to confirm whether the strategy remains suitable. - Carry material strategy changes and unresolved gaps into management review so leadership decisions are documented. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Primary ISO listing for the current ISO 22301 business continuity management system requirements standard. - [ISO/TS 22331 business continuity strategy guidance](https://www.iso.org/standard/50054.html?ref=sorena.io) - Supports the strategy lifecycle and review focus for business continuity strategy decisions. ### [What does RPO mean in ISO 22301 continuity planning?](/artifacts/global/iso-22301/faq/rpo.md#what-does-rpo-mean-in-iso-22301-continuity-planning) *Module: [ISO 22301 RPO FAQ: Recovery Point Objectives](/artifacts/global/iso-22301/faq/rpo.md)* RPO means the maximum age of data the organization is willing to recover from after a disruption. A four-hour RPO means the organization has accepted that up to four hours of records, transactions, messages, telemetry, or other recoverable data may need to be restored, replayed, reconciled, or manually rebuilt. - Set RPO per prioritized activity, service, system, data store, integration, or supplier dependency instead of using one default value for the whole organization. - Express the target in operational terms such as accepted data age, transaction replay window, manual reconciliation effort, evidence records, and customer-impact threshold. - Treat a tighter RPO as a resource decision: it may require different replication, backup, monitoring, supplier commitments, runbooks, capacity, and exercise coverage. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies ISO 22301 as the business continuity management system requirements standard that frames continuity planning and evidence. - [ISO/TS 22317:2021 standard page](https://www.iso.org/standard/79000.html?ref=sorena.io) - Supports tying RPO decisions to a formal BIA process rather than to ad hoc technology assumptions. ### [How is RPO different from RTO and MTPD?](/artifacts/global/iso-22301/faq/rpo.md#how-is-rpo-different-from-rto-and-mtpd) *Module: [ISO 22301 RPO FAQ: Recovery Point Objectives](/artifacts/global/iso-22301/faq/rpo.md)* RPO is about data loss or rework. RTO is about how quickly a disrupted activity should resume at a specified minimum acceptable capacity. MTPD is the wider time frame after which the impact of not resuming the activity becomes unacceptable to the organization. - Use MTPD to define the unacceptable-disruption boundary. - Use RTO to define the resumption target within that boundary and at an agreed minimum capacity. - Use RPO to define how current the recovered data must be when the activity resumes. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports the distinction between business continuity requirements, BIA outputs, and recovery targets under ISO 22301. - [ISO/TS 22317:2021 standard page](https://www.iso.org/standard/79000.html?ref=sorena.io) - Supports using BIA context to make recovery-objective choices appropriate to organizational needs and constraints. ### [What evidence should prove an RPO target is real?](/artifacts/global/iso-22301/faq/rpo.md#what-evidence-should-prove-an-rpo-target-is-real) *Module: [ISO 22301 RPO FAQ: Recovery Point Objectives](/artifacts/global/iso-22301/faq/rpo.md)* A useful RPO record shows the target, the business reason, the dependency chain, and the proof that the target can be met. The evidence should connect the BIA row to the continuity strategy, backup or replication design, runbook step, supplier commitment, exercise result, exception, and review date. - Evidence fields: prioritized activity, product or service, system/data source, RPO, RTO, MTPD, minimum capacity, owner, supplier dependency, recovery method, test date, result, exception, and next review trigger. - Testing evidence should show restored data age, missing transactions, reconciliation steps, failed dependencies, and corrective actions, not only that a backup job succeeded. - Exceptions should be visible in risk treatment, continuity strategy, corrective action, or management review rather than hidden in informal notes. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports keeping documented information and reviewable BCMS evidence for operational continuity decisions. - [ISO/TS 22317:2021 standard page](https://www.iso.org/standard/79000.html?ref=sorena.io) - Supports using a documented BIA process to justify recovery priorities and related data-loss tolerances. ### [How should RPO be tested and reviewed?](/artifacts/global/iso-22301/faq/rpo.md#how-should-rpo-be-tested-and-reviewed) *Module: [ISO 22301 RPO FAQ: Recovery Point Objectives](/artifacts/global/iso-22301/faq/rpo.md)* RPO should be validated through exercises, restore tests, failover tests, post-incident reviews, supplier capability reviews, and performance evaluation. The test should answer whether the organization can recover data to the agreed point and operate the prioritized activity at the required minimum capacity. - Run tests that measure recovered data age and reconciliation effort, not only infrastructure availability. - Feed failed RPO tests into corrective actions, supplier follow-up, strategy changes, or risk acceptance. - Use management review to decide whether changed BIA outputs require updated RPO, RTO, plans, strategies, resources, or exercises. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports planned evaluation, exercising, testing, review, and improvement as part of the ISO 22301 BCMS. - [ISO - Standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Supports presenting ISO-based recovery targets as repeatable operating practices rather than one-time audit statements. ### [What does RTO mean in ISO 22301?](/artifacts/global/iso-22301/faq/rto.md#what-does-rto-mean-in-iso-22301) *Module: [ISO 22301 RTO FAQ: Recovery Time Objectives](/artifacts/global/iso-22301/faq/rto.md)* RTO means recovery time objective: the target timeframe for resuming a disrupted activity at a specified minimum acceptable capacity. ISO 22301 places it inside the business impact analysis, after the organization has assessed impacts over time and identified the maximum tolerable period of disruption. - Define the product or service that depends on the activity. - Identify the prioritized activity and the minimum acceptable capacity after disruption. - Set the RTO within the MTPD and document the assumptions behind it. - Assign an accountable owner who can fund and maintain the recovery capability. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Primary ISO listing for the current ISO 22301 business continuity management system requirements standard. - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - Supports the distinction between ICT continuity requirements, BIA-derived RTOs, and RPOs for information needed during disruption. ### [How should the BIA produce the RTO?](/artifacts/global/iso-22301/faq/rto.md#how-should-the-bia-produce-the-rto) *Module: [ISO 22301 RTO FAQ: Recovery Time Objectives](/artifacts/global/iso-22301/faq/rto.md)* Start from impact, not from available technology. The BIA should define impact types and criteria, identify activities that support products and services, assess the impacts over time, and identify when not resuming the activity becomes unacceptable. - Keep one RTO per prioritized activity or service dependency, not one generic RTO for the whole company. - Record the impact criteria used to justify the target, such as customer harm, financial loss, safety, regulatory commitments, or contractual commitments. - Link the RTO to required people, sites, applications, data, suppliers, workarounds, communications, and approval authority. - Capture any gap between the desired RTO and the current tested capability as a risk, exception, or corrective action. Sources for this answer: - [ISO 22313:2020 guidance standard page](https://www.iso.org/standard/75107.html?ref=sorena.io) - Companion guidance for applying ISO 22301 and maintaining a business continuity management system. - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - Supports BIA-derived ICT continuity requirements, including RTOs for prioritized activities and supporting ICT resources. ### [How is RTO different from RPO?](/artifacts/global/iso-22301/faq/rto.md#how-is-rto-different-from-rpo) *Module: [ISO 22301 RTO FAQ: Recovery Time Objectives](/artifacts/global/iso-22301/faq/rto.md)* RTO is about time to restore service or activity capability. RPO is about how much information loss is tolerable. A service can have a short RTO and a longer RPO, or the opposite, depending on the business impact and data requirements. - Use RTO to size recovery sites, failover design, staffing, supplier response, and manual workarounds. - Use RPO to size backup frequency, replication, transaction logging, reconciliation, and data recovery testing. - Do not treat backup success as proof of RTO; backup evidence usually proves only part of the recovery capability. - When RTO and RPO conflict with budget or supplier capability, record the accepted risk or approved improvement plan. Sources for this answer: - [NIST SP 800-53 Rev. 5](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - NIST contingency controls distinguish recovery time and recovery point objectives for alternate storage, alternate processing, backups, and recovery. - [ENISA NIS2 technical implementation guidance](https://doi.org/10.2824/2702548?ref=sorena.io) - ENISA guidance discusses RTOs, RPOs, maximum acceptable outage, and testing recovery objectives in operational resilience measures. ### [What evidence shows the RTO is achievable?](/artifacts/global/iso-22301/faq/rto.md#what-evidence-shows-the-rto-is-achievable) *Module: [ISO 22301 RTO FAQ: Recovery Time Objectives](/artifacts/global/iso-22301/faq/rto.md)* A target is not enough. Evidence should show that the strategy, plan, resource model, supplier dependency, and exercise results can actually support recovery within the RTO and agreed capacity. - Test the end-to-end recovery path, including activation, people, access, data restoration, supplier response, communications, and stand-down. - Record actual recovery times from exercises and incidents instead of only recording that a test occurred. - Tie missed RTOs to corrective actions with owners and due dates. - Use management review to decide whether the RTO, strategy, budget, supplier contract, or plan needs to change. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - ISO 22301 requires exercising, testing, evaluating, and improving business continuity strategies, solutions, plans, and procedures. - [NIST SP 800-53 Rev. 5](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - NIST recovery controls support aligning alternate sites, backups, and recovery capabilities with recovery time and recovery point objectives. ### [When should an RTO be reviewed or changed?](/artifacts/global/iso-22301/faq/rto.md#when-should-an-rto-be-reviewed-or-changed) *Module: [ISO 22301 RTO FAQ: Recovery Time Objectives](/artifacts/global/iso-22301/faq/rto.md)* Review RTOs at planned intervals and whenever the organization, service, supplier, technology, legal context, customer commitment, or disruption experience changes. ISO 22301 ties BIA and risk assessment review to planned intervals and significant changes. - Review after incidents, activations, failed tests, supplier changes, infrastructure changes, and major product or service changes. - Update RTOs when impact criteria, minimum acceptable capacity, MTPD, dependencies, or resources change. - Escalate unresolved capability gaps to risk acceptance, corrective action, budget planning, or management review. - Keep a change history so auditors and service owners can see why each RTO was set or revised. Sources for this answer: - [ISO 22313:2020 guidance standard page](https://www.iso.org/standard/75107.html?ref=sorena.io) - Supports maintaining and improving the BCMS over time, including review and update of continuity arrangements. - [ENISA NIS2 technical implementation guidance](https://doi.org/10.2824/2702548?ref=sorena.io) - Supports operational testing and monitoring of successful and failed recovery objectives in cybersecurity continuity planning. ### [What should an ISO 22301 exercise programme include?](/artifacts/global/iso-22301/faq/testing-exercises.md#what-should-an-iso-22301-exercise-programme-include) *Module: [ISO 22301 Testing Exercises](/artifacts/global/iso-22301/faq/testing-exercises.md)* The programme should be planned against the BCMS scope and business continuity objectives, not as a loose calendar of tabletop meetings. Each exercise or test should name the activity, site, product, service, dependency, plan, team, and scenario being validated. - Define the exercise objective before choosing the scenario or participants. - Tie each exercise to continuity objectives, prioritized activities, BIA outputs, risk assessment results, strategies, plans, and procedures. - Use scenarios that are realistic enough to test decisions, resource assumptions, communications, recovery sequencing, and dependency failures. - Plan coverage across roles and sites over time so the programme validates the BCMS, not only one team that already knows the plan. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Primary ISO listing for the business continuity management system requirements standard that includes exercising and testing as part of BCMS operation. - [ISO 22313:2020 guidance standard page](https://www.iso.org/standard/75107.html?ref=sorena.io) - Companion guidance for applying ISO 22301, useful for shaping practical BCMS implementation and improvement records. ### [How should exercises validate BIA and recovery objectives?](/artifacts/global/iso-22301/faq/testing-exercises.md#how-should-exercises-validate-bia-and-recovery-objectives) *Module: [ISO 22301 Testing Exercises](/artifacts/global/iso-22301/faq/testing-exercises.md)* Exercises should test whether the BIA and risk assessment still describe reality. If the BIA says an activity has a maximum tolerable period of disruption, an RTO, an RPO, critical suppliers, required people, minimum resources, or a recovery sequence, the exercise should check whether those assumptions survive contact with the scenario. - Map each scenario to affected activities, products, services, sites, systems, people, suppliers, and recovery procedures. - Record whether the tested response met the intended RTO, RPO, MTPD-related priority, communication deadline, or resource assumption. - Flag gaps where plans depend on unavailable staff, stale contact lists, untested suppliers, missing access, unclear authority, or recovery steps that take longer than the BIA allows. - Feed validated changes back into the BIA, risk assessment, continuity strategies, procedures, training, and supplier follow-up. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports the link between exercises, business impact analysis, business continuity strategies, plans, and BCMS evaluation. - [ISO 22313:2020 guidance standard page](https://www.iso.org/standard/75107.html?ref=sorena.io) - Supports practical guidance for applying ISO 22301 when evaluating and improving the BCMS. ### [What evidence should teams keep after each exercise?](/artifacts/global/iso-22301/faq/testing-exercises.md#what-evidence-should-teams-keep-after-each-exercise) *Module: [ISO 22301 Testing Exercises](/artifacts/global/iso-22301/faq/testing-exercises.md)* The post-exercise record should be formal enough that an internal auditor, certifier, customer, or management reviewer can see what was tested and what changed because of the result. The record should not be a slide saying the exercise was completed. - Document the exercise scope, assumptions, date, facilitators, participants, affected processes, and plans tested. - Separate observations from corrective actions: an observation describes what happened; an action names the fix, owner, due date, and verification method. - Retain evidence of improvement, such as updated procedures, revised contact lists, new training records, supplier follow-up, resource changes, or accepted residual risk. - Preserve unresolved items for audit, risk review, or management review instead of burying them in meeting notes. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports retaining exercise and evaluation evidence as part of the BCMS documented information and improvement cycle. - [ISO 22313:2020 guidance standard page](https://www.iso.org/standard/75107.html?ref=sorena.io) - Supports practical implementation records for applying and improving the BCMS after exercise results. ### [When should exercise results trigger corrective action or management review?](/artifacts/global/iso-22301/faq/testing-exercises.md#when-should-exercise-results-trigger-corrective-action-or-management-review) *Module: [ISO 22301 Testing Exercises](/artifacts/global/iso-22301/faq/testing-exercises.md)* Exercise results should trigger action when they show that a strategy, solution, plan, role, supplier dependency, communication procedure, or recovery assumption is not suitable, adequate, or effective. A finding is not closed when it is assigned; it is closed when the correction is implemented and its effectiveness is checked. - Run exercises at planned intervals and when significant organizational, context, service, supplier, technology, site, or recovery-strategy changes occur. - Convert failed or partial results into corrective actions with cause analysis, implementation evidence, and effectiveness review. - Update the BIA, risk assessment, strategies, plans, communication procedures, training, or supplier records when the exercise proves they are stale. - Escalate material gaps to management review when they affect BCMS suitability, adequacy, effectiveness, resources, scope, or continual improvement. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports review, evaluation, corrective-action, and continual-improvement handling for exercise findings. - [ISO 22313:2020 guidance standard page](https://www.iso.org/standard/75107.html?ref=sorena.io) - Supports using exercise outputs as implementation guidance for maintaining and improving a BCMS. ## FAQ Pagination - Canonical index (page 1): [/artifacts/global/iso-22301/faq/items](/artifacts/global/iso-22301/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/global/iso-22301/faq/items.md) | [2](/artifacts/global/iso-22301/faq/items/page/2.md) [Previous page](/artifacts/global/iso-22301/faq/items.md) *Recommended next step* *Placement: after FAQ guidance* ## Operationalize ISO 22301 FAQ Use this FAQ to turn common BCMS questions into assigned evidence: scope decisions, BIA records, recovery targets, strategy choices, exercise reports, audit findings, and management-review actions. - [Open Assessment Autopilot for ISO 22301](/solutions/assessment.md): Convert ISO 22301 FAQ answers into accountable tasks, evidence requests, review checkpoints, and certification-readiness records. - [Talk through ISO 22301 implementation](/contact.md): Review your BCMS scope, BIA quality, recovery targets, exercise evidence, audit gaps, and management-review actions. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/iso-22301/faq/items/page/2