ISO 27001/ISO 22301 Knowledge base

Dejan Kosutic

What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?

Author: Dejan Kosutic

Both RTO and RPO are essential elements of business continuity, and they sound quite similar. But their purpose is quite different.

What is RTO?

So, what does RTO mean? BS 25999-2, a leading business continuity standard, defines RTO as “…target time set for resumption of product, service or activity delivery after an incident”.

This actually means that RTO is crucial when implementing business continuity in a company – calculating how quickly you need to recover will determine what kind of preparations are necessary. For example, if RTO is 2 hours, then you need to invest quite a lot of money in a disaster recovery center, telecommunications, automated systems, etc. – because you want to be able to achieve full recovery in only 2 hours. However, if your RTO is 2 weeks, then the required investment will be much lower because you will have enough time to acquire resources after an incident has occurred.

RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy. See also this article Five Tips for Successful Business Impact Analysis to learn more about RTO and BIA.

What is RPO?

Recovery point objective is a totally different thing – according to Wikipedia, RPO is “… the maximum tolerable period in which data might be lost”. As this is quite difficult to grasp right away, I like to use this example instead – ask yourself how much data you can afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose 1 hour of work, 2 hours or maybe 2 days? If you are writing a lengthy document, can you afford to lose 4 hours of your work, the whole day or perhaps you could bear if you lost your whole week’s job?

This number of hours or days is the RPO. Recovery Point Objective is crucial for determining one element of business continuity strategy – the frequency of backup. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in a big danger, but if you do it every 1 hour, it might cost you too much.

So, what’s the difference between RTO and RPO?

The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.

But let me emphasize what is even more important: what do RTO and RPO have in common? They are both crucial for business impact analysis and for business continuity management. Without determining them properly, you would be just guessing – and guessing is the best way to ensure you never recover from a disaster.

You can also check out our  Business Impact Analysis Questionnaire which describes how to gather all information necessary for RTO and RPO.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

3 responses to “What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?”

  1. Ananth N says:

    For any OLTP application (one of the most common uses to which databases are put), I would aim for an RPO of near-zero. That is, I cannot afford even a small bit of data loss. Things to consider are the cost of losing that amount of data forever, what it means to business.
    RTO, the recovery time objective, could depend on business requirement – things to consider are statutory requirements (and amount fines if violated), business loss in the downtime, and such things.

    For a content management system, I might settle for a higher RPO, and an even higher RTO.

    In both cases, it is a decision of ROI – it is pretty expensive to guarantee near zero or low RTO and RPO in terms of infrastructure and processes, and we do not want to spend more money than warranted by our business goals.

  2. Sohil says:

    For a near zero RPO on data bases, what are the solutions to look for. If DB backup is being taken every hourly.

    • Rhand Leal says:

      First of all, thanks for your feedback.

      For a near zero RPO you should consider real time data replication solutions, supported by redundant assets (e.g., redundant servers and systems) and infrastructure (e.g., multiple data centers and communication links), so in case of failure of the main system, or failure of assets or disruption of communication links or datacenters, the redundancies can take the data processing activities immediately.

      This material will also help you regarding continuity solutions:

      – Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.