What Are RTO and RPO in ISO 27001?
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are two foundational metrics in business continuity planning under ISO 27001. They define how quickly you need to recover from a disruption and how much data loss is acceptable.
RTO answers: "How long can this process be down before the impact becomes unacceptable?"
RPO answers: "How much data can we afford to lose before the impact becomes unacceptable?"
Under ISO 27001:2022, these metrics directly support the requirements in Clause 8.1 (Operational Planning and Control) and Annex A control A.5.29 (Information Security During Disruption) and A.5.30 (ICT Readiness for Business Continuity).
Getting RTO and RPO wrong means your disaster recovery and backup strategies will be misaligned with actual business needs - either over-engineered (wasting money) or under-engineered (creating unacceptable risk).
Why RTO and RPO Matter for ISO 27001 Certification
Auditors will specifically look for evidence that you have:
- Identified critical business processes and their dependencies on information systems
- Assessed the impact of disruption over time for each process
- Defined measurable recovery objectives (RTO and RPO) based on that impact analysis
- Aligned your technical recovery capabilities with those objectives
- Tested and validated that you can actually meet those objectives
This is not a theoretical exercise. If your RTO for email is 4 hours but your actual recovery capability is 24 hours, you have a documented gap that needs treatment in your risk register.
Step 1: Identify Critical Business Processes
Start by listing every business process that depends on information systems. Common examples include:
| Business Process | Supporting Systems | Process Owner |
|---|---|---|
| Customer order processing | ERP, payment gateway, CRM | Operations Director |
| Employee payroll | HRIS, banking portal | HR Manager |
| Client service delivery | Project management, email, file storage | Service Delivery Lead |
| Financial reporting | Accounting software, data warehouse | Finance Director |
| Customer support | Ticketing system, knowledge base, phone | Support Manager |
For each process, identify:
- What information systems it depends on
- What data it creates or consumes
- Who owns the process
- What upstream and downstream processes it affects
The ISMS Scope Builder on iso27001kit.com can help you map these processes and their boundaries systematically.
Step 2: Conduct the Business Impact Analysis (BIA)
For each critical process, assess the impact of disruption across multiple time horizons. Impact categories typically include:
Financial Impact
Estimate direct revenue loss, penalty costs, and recovery costs at each time interval:
| Downtime Duration | Order Processing | Payroll | Client Delivery | Financial Reporting |
|---|---|---|---|---|
| 1 hour | $5,000 | Minimal | $2,000 | Minimal |
| 4 hours | $20,000 | Minimal | $10,000 | Minimal |
| 1 day | $100,000 | Moderate | $50,000 | $10,000 |
| 3 days | $300,000 | High | $200,000 | $50,000 |
| 1 week | $700,000 | Critical | $500,000 | $200,000 |
Operational Impact
Consider the cascading effects: if order processing is down, does shipping stop? Does customer service get overwhelmed?
Reputational Impact
How quickly does a disruption become visible to customers, partners, or regulators? Social media amplifies incidents rapidly.
Legal and Regulatory Impact
Are there contractual SLAs? Regulatory reporting deadlines? Data protection notification requirements under GDPR (72 hours)?
Step 3: Calculate RTO for Each Process
Your RTO is the maximum tolerable downtime before impact crosses from "manageable" to "unacceptable." This threshold is a business decision, not a technical one.
Practical approach:
- Look at your BIA impact table
- Identify where impact moves from "moderate" to "high" or "critical"
- Set your RTO at or below that threshold
- Validate with the process owner
Example: If order processing losses become unacceptable at the 4-hour mark, your RTO is 4 hours. This means your recovery solution must be able to restore that system within 4 hours.
Common RTO Ranges
| Process Criticality | Typical RTO Range |
|---|---|
| Mission-critical (revenue-generating) | 1-4 hours |
| Important (internal operations) | 4-24 hours |
| Normal (supporting functions) | 1-3 days |
| Low priority (non-essential) | 3-7 days |
Step 4: Calculate RPO for Each Process
Your RPO determines how frequently you need to back up data. If your RPO is 1 hour, you cannot rely on daily backups - you need near-real-time replication or hourly snapshots.
Key question: "If this system failed right now, how far back could we roll the data without causing unacceptable harm?"
Example: For a transactional database processing customer orders, losing 24 hours of data might mean re-entering hundreds of orders manually. An RPO of 1 hour is more realistic, requiring at minimum hourly backups or database replication.
Common RPO Ranges
| Data Criticality | Typical RPO | Backup Method Required |
|---|---|---|
| Zero tolerance | 0 (real-time) | Synchronous replication |
| Near-zero | 15-60 minutes | Asynchronous replication, frequent snapshots |
| Standard | 4-24 hours | Scheduled backups (multiple daily) |
| Relaxed | 24-72 hours | Daily backups |
Step 5: Document Your Recovery Objectives
Your documentation should include:
- Business Impact Analysis report - summarizing the analysis above
- Recovery objectives table - listing RTO and RPO for each critical process
- Gap analysis - comparing objectives against current capabilities
- Treatment plan - addressing any gaps identified
Recovery Objectives Summary Table
| Process | RTO | RPO | Current Recovery Capability | Gap? |
|---|---|---|---|---|
| Order Processing | 4 hours | 1 hour | 8 hours / daily backup | Yes |
| Payroll | 24 hours | 24 hours | 48 hours / daily backup | Yes |
| Client Delivery | 8 hours | 4 hours | 4 hours / 4-hour snapshots | No |
| Customer Support | 4 hours | 1 hour | 2 hours / real-time replication | No |
Any gap between your defined objective and your actual capability is a risk that must be recorded in your risk register and treated.
Step 6: Align with ISO 27001 Annex A Controls
Several Annex A controls directly relate to RTO/RPO:
- A.5.29 - Information Security During Disruption: Requires maintaining information security during adverse situations
- A.5.30 - ICT Readiness for Business Continuity: Requires ICT continuity planning based on BIA results
- A.8.13 - Information Backup: Requires backup policies aligned with recovery objectives
- A.8.14 - Redundancy of Information Processing Facilities: Requires redundancy to meet availability requirements
Your Statement of Applicability should reference these controls and document how your RTO/RPO analysis supports their implementation.
Step 7: Test and Validate
Defining RTO and RPO means nothing if you cannot meet them. ISO 27001 requires testing:
- Tabletop exercises - walk through recovery scenarios with stakeholders
- Technical recovery tests - actually restore systems from backups and measure time
- Full failover tests - switch to backup systems and validate functionality
Document test results and compare against your defined objectives. Any shortfall needs a corrective action plan.
Testing Schedule
| Test Type | Frequency | Scope |
|---|---|---|
| Tabletop exercise | Quarterly | All critical processes |
| Backup restoration test | Monthly | Rotating systems |
| Full failover test | Annually | Mission-critical systems |
Common Mistakes to Avoid
Setting RTO/RPO without business input. These are business decisions, not IT decisions. The CTO should not define acceptable downtime for sales - the VP of Sales should.
Using the same RTO/RPO for everything. Different processes have different criticality. Treating everything as mission-critical wastes resources; treating everything as low-priority creates unacceptable risk.
Confusing RTO with actual recovery time. Your RTO is the maximum acceptable time. Your actual capability should be lower to provide a safety margin.
Not testing recovery. An untested recovery plan is not a plan - it is a hope.
Ignoring dependencies. If your CRM depends on your email server, your CRM's RTO cannot be shorter than your email server's RTO.
Start Your Business Impact Analysis Today
Calculating RTO and RPO does not need to be complicated if you follow a structured approach. Use the RTO/RPO and BIA Helper on iso27001kit.com to calculate recovery objectives for your critical processes, assess business impact at different time intervals, and generate a documented BIA summary ready for your auditor.
Combined with the ISO 27001 Document Pack, which includes a complete Business Continuity Policy and Disaster Recovery Plan template, you will have everything you need to satisfy Clause 8.1 and the relevant Annex A controls.
Start your BIA analysis now - free
Found this article helpful?
Share it with your colleagues.
