In this chapter, you explored various aspects of business resiliency, including BIA, data backups, BCP and DRP plans, and testing methodologies. You also learned about various processes to evaluate an organization's ability to continue business operations. You have now acquired the relevant knowledge and skills required should business resilience appear in the CISA exam, along with a number of practical aspects like to derive RTO and RPO. The following are some important points that you covered in this chapter: • A BIA determines the impact arising from the unavailability of each system. The more critical the system, the higher the impact. A BIA is conducted on the basis of input from the business process owner. • Once the critical applications have been identified through the BIA, the next step is to develop a strategy to recover the critical assets as soon as possible for the continuity of business operations. The BCP is the next step once the strategy has been developed. Testing procedures and training schedules can be designed following the development of the BCP. • Diverse routing is a method of routing information through split cables, while alternative routing involves routing information through alternative cables, such as copper or fiber-optic cables. Bridges and gateways are used for network extensions. • The main objective of testing an offsite facility is to validate the compatibility of the facility to support the organization in case of a disaster. The test results help to evaluate the adequacy and effectiveness of the offsite recovery facility. • The RTO is a measure of an organization’s tolerance to system downtime. In other words, it is the extent of acceptable system downtime. For example, an RTO of 2 hours indicates that an organization will not be overly impacted if its system is down for up to 2 hours. • The RPO is a measure of an organization’s tolerance to data loss. In other words, the RPO is the extent of acceptable data loss. For example, an RPO of 2 hours indicates that an organization will not be overly impacted if it loses data for up to 2 hours. The next chapter will discuss various aspects of information asset security and controls.