FAQGlobalISO 22301

ISO 22301 FAQ MTPD

How should teams define maximum tolerable period of disruption (MTPD) under ISO 22301?

Use MTPD to set the outer disruption tolerance for each prioritized activity, then choose RTOs, resources, and recovery strategies that fit inside that limit.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

MTPD is the business impact limit: the point where not resuming an activity becomes unacceptable. In ISO 22301 work it belongs inside the BIA, tied to products and services, prioritized activities, dependencies, resource needs, and recovery choices.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

What does MTPD mean in ISO 22301?

MTPD is the maximum period an organization can tolerate a disruption to an activity before the impact becomes unacceptable. It is not a generic service-level target; it is a business impact finding for a specific activity that supports products or services in the BCMS scope.

A useful MTPD record names the activity, the product or service it supports, the impact criteria used, the point where impact becomes unacceptable, and the person or forum that accepted that tolerance. Without that context, the number is hard to defend during an audit, supplier review, or real disruption.

  • Define MTPD per prioritized activity, not once for the whole organization.
  • Base the value on impacts over time: operational loss, customer harm, legal or regulatory exposure, safety, financial loss, reputation, or contractual commitments.
  • Record the assumptions behind the decision, including minimum acceptable capacity, dependency limits, supplier constraints, and escalation thresholds.
Citations
ISO 22301:2019 standard page

Primary ISO listing for the business continuity management system requirements standard that frames MTPD as part of BCMS planning and operation.

Question 2

How is MTPD different from RTO and RPO?

MTPD is the outer impact tolerance. RTO is the planned time frame for resuming the disrupted activity at a specified minimum acceptable capacity, and it should sit inside the MTPD. RPO is different again: it expresses the acceptable point of data recovery or data loss for systems and information supporting the activity.

If an activity has a 48-hour MTPD, setting a 48-hour RTO leaves no margin for activation delays, failed recovery steps, supplier dependencies, or management escalation. The BIA should therefore show why the selected RTO and resource strategy can recover the activity before the MTPD is reached.

  • Use MTPD to define when impact becomes unacceptable.
  • Use RTO to set the recovery target for the prioritized activity at minimum acceptable capacity.
  • Use RPO for data recovery expectations where information loss affects the activity.
  • Flag any activity where the chosen RTO, RPO, supplier commitment, or workaround cannot realistically fit inside the MTPD.
Citations
ISO 22301:2019 standard page

Supports the ISO 22301 context for BIA, continuity requirements, and business continuity management system requirements.

Question 3

What evidence should prove the MTPD is current?

The evidence should connect the MTPD to the BIA, not just list a number in a spreadsheet. A reviewer should be able to trace the activity to the service it supports, the impact criteria used, the impacts over time, the selected RTO and RPO, required resources, dependencies, continuity strategy, exercise results, and open corrective actions.

Good evidence also shows ownership. The business owner should approve the impact tolerance, continuity or resilience teams should challenge consistency across activities, and management review should see unresolved gaps where recovery capability cannot meet the agreed time frames.

  • Keep the BIA worksheet, approval record, impact criteria, assumptions, and dependency map together.
  • Link MTPD to recovery strategy decisions, resource requirements, supplier or partner dependencies, and exercise/test evidence.
  • Treat missed RTOs, failed workarounds, supplier changes, and capacity shortfalls as evidence that the MTPD or strategy may need review.
  • Document accepted exceptions as risk decisions or corrective actions, not as hidden notes.
Citations
ISO 22301:2019 standard page

Primary ISO source for the BCMS requirements context behind BIA, continuity strategies, documented information, evaluation, audit, and management review evidence.

ISO - Standards overview

Supports the management-system expectation that important decisions are controlled, reviewed, and improved over time.

Recommended next step

Operationalize ISO 22301 MTPD

Use this FAQ as the starting point for a tracked BIA workflow: assign owners, confirm impact tolerances, align RTO and RPO targets, request dependency evidence, and keep review triggers visible.

Assessment workflow
Open Assessment Autopilot for ISO 22301

Convert MTPD, RTO, RPO, dependency, and strategy checks into accountable tasks and evidence requests.

Explore next step
Talk to Sorena
Talk through implementation

Review your BIA evidence, recovery targets, dependency gaps, and next ISO 22301 implementation steps.

Explore next step
Question 4

When should teams review MTPD and update the BIA?

Review MTPD at planned intervals and whenever the facts behind the BIA change. Typical triggers include a new or changed product, site, process, system, supplier, customer promise, legal or contractual duty, incident lesson, failed exercise, resource constraint, or management decision that changes impact tolerance.

The update should not stop at the MTPD field. If the tolerance changes, check whether RTOs, RPOs, continuity strategies, resource requirements, procedures, supplier agreements, exercises, and management-review actions still make sense.

  • Update the BIA when significant organizational or context changes affect activities, dependencies, or acceptable impact.
  • Review recovery strategies and solutions when exercises, tests, incidents, or supplier evaluations show the selected approach cannot meet the time frames.
  • Escalate unresolved gaps into corrective action, risk acceptance, or management review.
  • Keep version history so reviewers can see what changed, who approved it, and which recovery evidence was updated.
Citations
ISO 22301:2019 standard page

Supports the ISO 22301 management-system context for planned review, evaluation, business continuity documentation, and continual improvement.

ISO - Standards overview

Supports treating MTPD review as part of a maintained system for doing business continuity work consistently.

Primary sources

References and citations

ISO - Standards overview
iso.org
Referenced sections
  • Supports treating MTPD review as part of a maintained system for doing business continuity work consistently.
"Think of them as a formula that describes the best way of doing something."
ISO 22301:2019 standard page
iso.org
Referenced sections
  • Supports the ISO 22301 management-system context for planned review, evaluation, business continuity documentation, and continual improvement.
"Business continuity management systems - Requirements"
ISO management system standards overview
iso.org
Referenced sections
  • Supports the distinction between documented management-system requirements and organization-specific implementation choices.
"Think of them as a formula that describes the best way of doing something."
ISO management system standards overview
iso.org
Referenced sections
  • Supports treating MTPD decisions as maintained operating evidence inside a management system, not as one-time audit wording.
"Think of them as a formula that describes the best way of doing something."
Related guides

Explore more topics

ISO 22301 Audit Readiness and Certification Evidence
Prepare ISO 22301 BCMS audit evidence for scope, BIA, risk assessment, objectives, exercises, internal audit, management review, corrective actions, and retained documented information.
ISO 22301 BCMS Requirements: Clauses 4-10
A practical ISO 22301 requirements guide for BCMS scope, leadership, planning, support, operation, BIA, risk assessment, continuity strategies, plans, exercises, audits, management review, corrective action, and evidence.
ISO 22301 BCMS Scope and Boundaries
Define an ISO 22301 BCMS scope that names the organization, products and services, sites, dependencies, outsourced processes, exclusions, interfaces, evidence, and review triggers.
ISO 22301 BIA to Recovery Strategy Workflow
Turn ISO 22301 business impact analysis into recovery priorities, continuity strategies, solutions, exercises, and audit-ready evidence.
ISO 22301 Business Continuity Strategy and Solutions
Build ISO 22301 business continuity strategies and solutions from BIA outputs, recovery objectives, resource needs, supplier dependencies, exercises, and evidence records.
ISO 22301 Business Impact Analysis FAQ
Practical ISO 22301 BIA FAQ covering prioritized activities, impact criteria, MTPD, RTO, RPO, dependencies, resources, strategy handoff, evidence, and review triggers.
ISO 22301 Business Impact Analysis Template
Build an ISO 22301 business impact analysis template that captures activities, impacts over time, MTPD, RTO, dependencies, resource needs, evidence, review cadence, and continuity-strategy handoff.
ISO 22301 Certification Evidence Checklist
A practical ISO 22301 certification evidence checklist for BCMS scope, BIA, risk assessment, continuity plans, exercises, audits, management review, and corrective actions.
ISO 22301 Certification Evidence FAQ
FAQ guidance on ISO 22301 certification evidence: BCMS scope, documented information, BIA, risk assessment, exercises, internal audit, management review, and corrective action.
ISO 22301 Compliance Guide | BCMS Requirements
Build ISO 22301 compliance evidence across BCMS scope, leadership, BIA, risk assessment, continuity strategies, plans, exercises, audit, management review, and corrective action.
ISO 22301 FAQ: BCMS, BIA, MTPD, RTO and Audit Evidence
Practical ISO 22301 FAQ for business continuity teams: BCMS scope, BIA, MTPD, RTO, RPO, strategies, exercises, audits, management review, and certification evidence.
ISO 22301 Management Review FAQ
What ISO 22301 management review should cover: inputs, outputs, decisions, evidence, improvement actions, and ownership for BCMS leadership reviews.
ISO 22301 Recovery Strategies FAQ
Practical ISO 22301 FAQ on selecting recovery strategies from BIA, risk assessment, prioritized activities, resource needs, exercises, and review evidence.
ISO 22301 RPO FAQ: Recovery Point Objectives
How to set, evidence, test, and review recovery point objectives in an ISO 22301 business continuity management system.
ISO 22301 RTO FAQ: Recovery Time Objectives
Plain-language ISO 22301 guidance for setting recovery time objectives from BIA evidence, MTPD limits, resources, dependencies, exercises, and review triggers.
ISO 22301 Testing and Exercises Guide
Plan, run, evidence, and improve ISO 22301 business continuity exercises that validate strategies, plans, RTOs, MTPDs, communication procedures, and corrective actions.
ISO 22301 Testing Exercises FAQ
How ISO 22301 teams should plan, run, evidence, and improve business continuity exercises and tests.
ISO 22301 vs DORA: BCMS And Digital Operational Resilience
Compare ISO 22301 business continuity management with DORA digital operational resilience for financial entities, ICT risk, incidents, testing, third-party risk, and reusable evidence.
ISO 22301 vs ISO/IEC 27001: BCMS and ISMS Comparison
Compare ISO 22301 business continuity management with ISO/IEC 27001 information security management: scope, risk work, evidence, certification boundaries, overlap, and common mistakes.