ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Free_Downloads
 

Have a question on ISO 27001 or ISO 22301?

Ask an Expert
 

Free eBook

Free eBook 9 Steps to Cybersecurity
 
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
 
Newsletter
 
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.
 
 
 
 
 
 
 
    

UPCOMING FREE WEBINAR

    

 
ISO 22301: An overview of BCM implementation process

    

Wednesday
September 10, 2014

    Register_now_green
    
 
 
 

What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?

'By 'Dejan Kosutic on January 30, 2012

They are both essential elements of business continuity, and they sound quite similar. But their purpose is quite different.

What is RTO?

So, what does RTO mean? BS 25999-2, a leading business continuity standard, defines RTO as “…target time set for resumption of product, service or activity delivery after an incident”.

This actually means that RTO is crucial when implementing business continuity in a company – calculating how quickly you need to recover will determine what kind of preparations are necessary. For example, if RTO is 2 hours, then you need to invest quite a lot of money in a disaster recovery center, telecommunications, automated systems, etc. – because you want to be able to achieve full recovery in only 2 hours. However, if your RTO is 2 weeks, then the required investment will be much lower because you will have enough time to acquire resources after an incident has occurred.

RTO is determined during the business impact analysis (BIA), and the preparations are defined in the business continuity strategy. See also this article Five Tips for Successful Business Impact Analysis to learn more about RTO and BIA.

What is RPO?

Recovery point objective is a totally different thing – according to Wikipedia, RPO is “… the maximum tolerable period in which data might be lost”. As this is quite difficult to grasp right away, I like to use this example instead – ask yourself how much data you can afford to lose? If you are filling in a database with various kinds of information, is it tolerable to lose 1 hour of work, 2 hours or maybe 2 days? If you are writing a lengthy document, can you afford to lose 4 hours of your work, the whole day or perhaps you could bear if you lost your whole week’s job?

This number of hours or days is the RPO. Recovery Point Objective is crucial for determining one element of business continuity strategy – the frequency of backup. If your RPO is 4 hours, then you need to perform backup at least every 4 hours; every 24 hours would put you in a big danger, but if you do it every 1 hour, it might cost you too much.

So, what’s the difference?

The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.

But let me emphasize what is even more important: what do RTO and RPO have in common? They are both crucial for business impact analysis and for business continuity management. Without determining them properly, you would be just guessing – and guessing is the best way to ensure you never recover from a disaster.

You can also check out our Business Impact Analysis Questionnaire which describes how to gather all information necessary for RTO and RPO (commercially sold document template).


  • Ritchi

    Nice posting! .. but can we measure RPO in terms of how many transactions we can afford to lose rather than time?

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Ritchi, theoretically you could measure RPO in terms of number of transactions, but if the main purpose of RPO is to determine the frequency of backup, then ultimately you would need to translate this number of transactions into a (minimum) time period. So if it acceptable for you to lose e.g. 1000 transactions, and the shortest time frame when these transactions can happen is 2 hours, this means you would have to perform backup at least every 2 hours.

    Alternative would be to have a backup system which would be triggered by number of transactions, but to be honest I’m not sure if such technology is widely available.

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Ritchi, theoretically you could measure RPO in terms of number of transactions, but if the main purpose of RPO is to determine the frequency of backup, then ultimately you would need to translate this number of transactions into a (minimum) time period. So if it acceptable for you to lose e.g. 1000 transactions, and the shortest time frame when these transactions can happen is 2 hours, this means you would have to perform backup at least every 2 hours.

    Alternative would be to have a backup system which would be triggered by number of transactions, but to be honest I’m not sure if such technology is widely available.

  • Paul

    Nice article…. can I ask, does RTO has any bearing on the Service Level Agreement (SLA)? A 99.5% SLA (approx max 50 min downtime per week) will imply RTO = 50 min ?

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Yes, absolutely – SLAs are one of the most important inputs when you consider level of impact throughout the time.

  • Val

    Great explanation. Thanks

  • SAURABH SHARMA

    Great Post. I’ve 1 question:
    If you have primary database instance and its database is replicated to secondary database instances via LOGSHIPPING method, where transaction log backup is taken every 1 min, and copied to secondary server and instantaneously applied in secondary instances .
    Then how to calculate current RPO for a particular database?
    Time(latest log restored at sec. server) – time(backup log generated at primary site) = hh:mm:ss <– this is RPO
    Is this equation right??

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Saurabh, RPO has nothing to do with your current system of backup/replication. RPO is a measure of how much data loss is acceptable from the business point of view – can you afford to lose all the data generated in the last 24 hours? In that case RPO is 24 hours. Can you afford to lose only the data generated in last 1 hour? Then the RPO is 1 hour.

  • Umesh

    Would you give an perfect example of RTO & RPO ?
    it would be great if you describe in numbers..

    Like, if my RTO for a BPO process is 2 hours;
    how much would be RPO for the same?

    UMESH

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Umesh, RTO and RPO are not directly related – you may have RTO of 2 hours and RPO of 24 hours, 12 hours, 2 hours or 0. The value of RTO and RPO have to be determined through business impact analysis for each activity.