information security; (3) define the recovery time objective (RTO) for information system and its priority to be recovered based on its criticality and potential impact; (4) consider redundant information
: (a) operation associated with the policy in Clause 5 (1) (2) and (3); (b) reporting on compliance in Clause 6 (4). (2) conduct control self-assessment to measure the effectiveness of the operating