information security; (3) define the recovery time objective (RTO) for information system and its priority to be recovered based on its criticality and potential impact; (4) consider redundant information

and other IT assets (i.e., systems asset and equipment asset) shall be classified in terms of criticality in order that such IT assets are given an appropriate level of protection in accordance with