Show me desktop version

27001Academy

 CALL US +1 (646) 797 2744

 

The ISO 27001 & ISO 22301 Blog

 

What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?

They are both essential elements of business continuity, and they sound quite similar. But their purpose is quite different.

What is RTO?

So, what does RTO mean? BS 25999-2, a leading business continuity standard, defines RTO as “…target time set for resumption of product, service or activity delivery after an incident”.

This actually means that RTO is crucial when implementing business continuity in a company – calculating how quickly you need to recover will determine what kind of preparations are necessary. For example, if RTO is 2 hours, then you need to invest quite a lot of money in a disaster recovery center, telecommunications, automated systems, etc. – because you want to be able to achieve full recovery in only 2 hours. However, if your RTO is 2 weeks, then the required investment will be much lower because you will have enough time to acquire resources after an incident has occurred.

RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy. See also this article Five Tips for Successful Business Impact Analysis to learn more about RTO and BIA.

What is RPO?

Recovery point objective is a totally different thing – according to Wikipedia, RPO is “… the maximum tolerable period in which data might be lost”. As this is quite difficult to grasp right away, I like to use this example instead – ask yourself how much data you can afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose 1 hour of work, 2 hours or maybe 2 days? If you are writing a lengthy document, can you afford to lose 4 hours of your work, the whole day or perhaps you could bear if you lost your whole week’s job?

This number of hours or days is the RPO. Recovery Point Objective is crucial for determining one element of business continuity strategy – the frequency of backup. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in a big danger, but if you do it every 1 hour, it might cost you too much.

So, what’s the difference?

The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.

But let me emphasize what is even more important: what do RTO and RPO have in common? They are both crucial for business impact analysis and for business continuity management. Without determining them properly, you would be just guessing – and guessing is the best way to ensure you never recover from a disaster.

You can also check out our Business Impact Analysis Questionnaire which describes how to gather all information necessary for RTO and RPO.

  • miko

    Hi, Dejan, My i know how to select the case as a test plan ? find the most critical sinario and excutive the test ?

    • http://blog.iso27001standard.com/ Dejan Kosutic

      Miko, you should select the scenario for exercising and testing based on your risk assessment – the scenario should reflect your biggest risk(s).

  • miko

    Dear Dejan,
    Thank for your respond. by the way
    How many scenario we need to select for exrcising and testing ? is there any specify requirement?

    • http://blog.iso27001standard.com/ Dejan Kosutic

      ISO 22301 does not specify the number of scenarios – normally, you will use only one scenario for exercising and testing, for example an earthquake that has destroyed the building on the primary location. The next year you can use some other scenario.

  • miko

    Hi, Dejan
    May i know what is the big changes between version 2005 and 2013 for information security continuity ? (Business Continuity). appreciate your input.

  • jean-luc

    Hi Dejan and Miko

    I’m amazd by the short, precise, complete and exact answers by Dejan – No joke and no flattery. I see I have to learn a lot.
    May I give some indication on the change of mind between 2005 and 2013 versions (27001 and 27002, which are closely linked through Annex A).
    In the ‘old’ version, one might have the impression that Information security was imposing a BCP and its management, and that it was ‘showing the way’ on how to do it.
    We corrected in in the new version as it is not an information security requirement and security isn’t driving the organisation. So we made sure that
    - the BCM material and discussions was covered by information security (as any other information, so no specific mention)

    - the (selected) main information/IT security controls and their management were included in the BCM. We thought that security has also to be active in crisis time. probably with more emphasis as a big part of the rest might have vanished. by this information security brings its part on the consolidation of what remains and the reconstruction of what’s the most important.
    Best Regards
    Jean-Luc