Show me desktop version
CALL US +1 (646) 759 9933

ISO 27001/ISO 22301 Knowledge base

What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?

Author: Dejan Kosutic

They are both essential elements of business continuity, and they sound quite similar. But their purpose is quite different.

What is RTO?

So, what does RTO mean? BS 25999-2, a leading business continuity standard, defines RTO as “…target time set for resumption of product, service or activity delivery after an incident”.

This actually means that RTO is crucial when implementing business continuity in a company – calculating how quickly you need to recover will determine what kind of preparations are necessary. For example, if RTO is 2 hours, then you need to invest quite a lot of money in a disaster recovery center, telecommunications, automated systems, etc. – because you want to be able to achieve full recovery in only 2 hours. However, if your RTO is 2 weeks, then the required investment will be much lower because you will have enough time to acquire resources after an incident has occurred.

RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy. See also this article Five Tips for Successful Business Impact Analysis to learn more about RTO and BIA.

cta-corner-thumb

Need help with business impact analysis (BIA)?

What is RPO?

Recovery point objective is a totally different thing – according to Wikipedia, RPO is “… the maximum tolerable period in which data might be lost”. As this is quite difficult to grasp right away, I like to use this example instead – ask yourself how much data you can afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose 1 hour of work, 2 hours or maybe 2 days? If you are writing a lengthy document, can you afford to lose 4 hours of your work, the whole day or perhaps you could bear if you lost your whole week’s job?

This number of hours or days is the RPO. Recovery Point Objective is crucial for determining one element of business continuity strategy – the frequency of backup. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in a big danger, but if you do it every 1 hour, it might cost you too much.

So, what’s the difference?

The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.

But let me emphasize what is even more important: what do RTO and RPO have in common? They are both crucial for business impact analysis and for business continuity management. Without determining them properly, you would be just guessing – and guessing is the best way to ensure you never recover from a disaster.

You can also check out our  Business Impact Analysis Questionnaire which describes how to gather all information necessary for RTO and RPO.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

3 responses to “What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?”

  1. Ananth N says:

    For any OLTP application (one of the most common uses to which databases are put), I would aim for an RPO of near-zero. That is, I cannot afford even a small bit of data loss. Things to consider are the cost of losing that amount of data forever, what it means to business.
    RTO, the recovery time objective, could depend on business requirement – things to consider are statutory requirements (and amount fines if violated), business loss in the downtime, and such things.

    For a content management system, I might settle for a higher RPO, and an even higher RTO.

    In both cases, it is a decision of ROI – it is pretty expensive to guarantee near zero or low RTO and RPO in terms of infrastructure and processes, and we do not want to spend more money than warranted by our business goals.

  2. Sohil says:

    For a near zero RPO on data bases, what are the solutions to look for. If DB backup is being taken every hourly.

    • Rhand Leal says:

      First of all, thanks for your feedback.

      For a near zero RPO you should consider real time data replication solutions, supported by redundant assets (e.g., redundant servers and systems) and infrastructure (e.g., multiple data centers and communication links), so in case of failure of the main system, or failure of assets or disruption of communication links or datacenters, the redundancies can take the data processing activities immediately.

      This material will also help you regarding continuity solutions:

      – Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
      https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Leave a Reply

Your email address will not be published. Required fields are marked *

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Documentation Toolkit

ISO 22301 Business Impact Analysis Toolkit

See Details

Upcoming free webinar
How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301
Wednesday - January 17, 2018

OUR CLIENTS

OUR PARTNERS

  • Exemplar Global (formerly RABQSA) is leading international authority in certification of training providers.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933