RTO vs. RPO

Understanding Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are two terms that appear frequently when developing a Business Continuity Plan (BCP) or a Disaster Recovery Plan (DRP).  These two objectives represent the organization’s defined requirements for the amount of downtime and permanent data loss that management has determined the organization can tolerate. While RTO and RPO are paramount to developing a BCP or a DRP, these concepts can be difficult to understand, and therefore can lead to plans that may not achieve your intended outcomes. 

Below we will define RTO and RPO within the context of ISO 22301, and give examples of their application to allow you to build a reliable BCP or DRP.

What is RTO?

Recovery Time Objective, or RTO, as defined by ISO 23001, is the amount of time after a disaster in which business operation is retaken, or resources are again available for use. 

For example, if the RTO is 4 hours after a disastrous event, this means you should be able to resume delivery of products or services, or execution of activities within 4 hours.

What is RPO?

Recovery Point Objective, or RPO, as defined by ISO 23001, is the period of time after a disaster during which systems and data must be restored to the predetermined RPO without causing significant damage to the business, including time spent restoring the application and its data. This can be best understood if you ask yourself, for a given operation, how much data loss can you afford in terms or time or information. 

For example, think about a database that manages transactions at a global fast-food company. The database to be recovered must be virtually equal to the database at the moment of the disaster (i.e., the difference must be close to zero), because even within a few minutes, hundreds or thousands of transactions can be made. This information needs to be documented and cannot easily be recovered in some other way, therefore it is paramount that the RPO is near zero – meaning that the backup needs to be done in real time. 

When you are considering your RPO time, the harder it is to recover or recreate the data, the shorter the RPO needs to be. 

What is the difference between RTO and RPO?

The main difference between RTO and RPO is time. RTO is focused on downtime of services, processes, applications and defines the resources to be allocated to business continuity. RPO is focused on the amount of data that will be affected making its focus to define backup frequency.  For example, if your email system is down, the RTO to get it back to functioning might be 1 hour, but the RPO, if this doesn’t greatly affect your business, may be zero. 

Another relevant difference is that, in relation to the moment of the disruptive incident, RTO looks forward in time at the amount of time you need to resume operations.  RPO looks back in time at the amount of time or data you are willing to lose, or will lose in the time of recovery (i.e., how long ago was your last backup, and how much data will you lose?)

What are RTO and RPO in disaster recovery?

RTO is used to determine what kind of preparations are necessary for a disaster, in terms of finances, facilities, telecommunications, systems, personnel, processes, etc. A shorter RTO usually equates to more resources being needed. 

RPO is used for determining the frequency of data backup to recover the needed data in case of a disaster. If your RPO is 8 hours, your organization should perform data backups at least every 8 hours.  If your last backup was 24 hours ago, it would put your organization at risk of losing 16 hours of data; however, if you made a backup every 2 hours, it could potentially could be costly (time, storage space, etc.) and not bring additional value to the company. It is wise to do a cost/benefit analysis to determine the appropriate RPO for your organization.

Should RPO be less than RTO?

RPO and RTO are both crucial for business impact analysis and for business continuity management. RPO and RTO are not directly related, and they do not conflict. They are independent variables that should be defined in order to have a successful BCP and/or a DRP.  

For example, a fast-food chain may need to be back online within moments after a disruption, so RTO may be near zero. The same fast-food chain may have two databases, one for its product which is updated monthly, and the second is for sales which is thousands per day. The RPO for the first database is monthly, while the second RPO should be near zero.

RTO and RPO in Relation to ISO/IEC 27001 and ISO 22301

Planning for disaster recovery and information technology has increasingly become more important as organizations have become progressively dependent on their computer systems. IT Service Continuity is essential for many organizations in the implementation of a BCP and Information Security Management System (ISMS). When creating a business continuity and/or disaster recovery plan, ISO/IEC 27001 and ISO 22301 have specified requirements your organization must meet, and RPO and RTO are both crucial for business continuity management and disaster recovery.