ISO 27001 & ISO 22301 Knowledge base

What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?

When developing Business Continuity Plans (BCPS) or Disaster Recovery Plans (DRPs), two terms appear quite often: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). While paramount to the definition of BCPs and DRPs, RTO and RPO aren’t easy concepts to understand, which can lead to plans that either allocate more resources than needed, or to plans that won’t achieve the expected outcomes.

In this article, you will see how ISO 22301, the leading ISO standard for business continuity management, defines these parameters, as well as examples of their application and how they can be used to build robust and reliable plans that allow the optimization of resources considering the desired outcomes.

What is the RTO?

ISO 22300, which defines the vocabulary for ISO 22301, provides a definition for the Recovery Time Objective, or RTO, which can be understood as the amount of time after a disaster in which business operation is retaken, or resources are again available for use.

For example, if the RTO is 2 hours, then it means you want to resume delivery of products or services, or execution of activities, in 2 hours.

What is the RPO?

Still according to ISO 22301, the definition of the Recovery Point Objective, or RPO, can be understood the best if you ask yourself, for a given operation, how much data loss can you afford in terms of time or in terms of amount of information.

Think about a database for recording all transactions in a bank (e.g., payments, transfers, scheduling, etc.). The database to be recovered must be practically equal to the database at the moment of the disaster (i.e., the difference close to zero), because even in just a few minutes, hundreds of transactions can be made, and this information cannot be lost and cannot be easily recovered in some other way. In this case, the RPO is near zero, which means that the backup needs to be done in real time.

Now think about a source code repository where software developers keep their work. It is relatively easy to rewrite one day of lost coding for a software developer, but more than that can be difficult or impossible to recreate. In this case, the RPO would be 24 hours, which means that the backup needs to be done at least every 24 hours.

The point is, the harder it is to recover or recreate the data, the shorter the RPO needs to be.

What is the difference between RTO and RPO?

The main difference is in their purposes – being focused on time, RTO is focused on downtime of services, applications, and processes, helping define resources to be allocated to business continuity; while RPO, being focused on amount of data, has as its sole purpose to define backup frequency.

Another relevant difference is that, in relation to the moment of the disruptive incident, RTO looks forward in time (i.e., the amount of time you need to resume operations), while RPO looks back (i.e., the amount of time or data you are willing to lose).

RTO vs.RPO –What is the difference?

What are RTO and RPO in disaster recovery?

RTO is used to determine what kind of preparations are necessary for a disaster, in terms of money, facilities, telecommunications, automated systems, personnel, etc. The shorter the RTO, the greater the resources required.

RPO is used for determining the frequency of data backup to recover the needed data in case of a disaster. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in big danger, but if you did it every hour, it might cost you too much and not bring additional value to the business.

Both Recovery Time Objective and Recovery Point Objective are determined during the business impact analysis (BIA), and the preparations for achieving them are defined in the business continuity strategy.

See these articles to learn more about RTO, RPO, and BIA: Five Tips for Successful Business Impact Analysis, and Backup policy – How to determine backup frequency.

Should RPO be less than RTO?

Although RTO and RPO are both crucial for business impact analysis and for business continuity management, they are not directly related; but they don’t conflict, either (there is no such thing as RTO vs. RPO), so RPO does not need to be less than RTO or vice-versa – you could have an RTO of 24 hours and an RPO of 1 hour, or an RTO of 2 hours and an RPO of 12 hours.

For example, an e-commerce site may need to be online 4 hours after a disruption, so RTO is 4 hours. Now, this same e-commerce site has two databases, one for its product catalog, which is updated once a week, and the second to record sales (thousands per day). The RPO for the first database can be 1 week, but for the second, the RPO should be near zero.

Continuity management is more about preparation and less about guessing

Business continuity and disaster recovery plans are things that organizations need to have and hope not to use, and in such cases, they need to find a balance between investing the minimum amount of resources possible, and having the maximum confidence that the plans will work.

To achieve this balance, RPO and RTO are paramount. Without determining them properly, you would just be guessing – and guessing is the best way to ensure recovery disaster, instead of recovery from a disaster.

You can also check out this free webinar: Implementing Business Impact Analysis according to ISO 22301, which describes how to gather all information necessary for RTO and RPO calculation.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 expert, Dejan helps companies find the best way to obtain certification by eliminating overhead and adapting the implementation to their size and industry specifics.
Connect with Dejan: