Recovery Time Objective (RTO) & Recovery Point Objective (RPO)
Domain 4 — Information Systems Operations and Business Resilience
Definition
RTO is the maximum acceptable time a system can be unavailable after a disruption before the impact becomes unacceptable. RPO is the maximum acceptable data loss measured in time — how much data the organisation can afford to lose. Together, they define recovery requirements. IS auditors verify that RTO/RPO values are based on business impact analysis, technically feasible, and regularly tested.
Real-World Audit Scenario
A financial client had set a 4-hour RTO for their trading platform with a 15-minute RPO. The RPO required transaction log shipping every 15 minutes, which the IT team had configured and tested. But the RTO of 4 hours was based on a guess — nobody had ever measured how long a full recovery actually took. When we tested it, the actual recovery took 7 hours and 22 minutes because the database restoration script had a hardcoded path error that nobody had noticed. The RTO was technically unachievable.
Common Exam Trap
RTO and RPO are often confused. Remember: RTO = time to recover (how long until systems are back), RPO = data loss tolerance (how much data can you lose). A low RPO means frequent backups. A low RTO means fast recovery infrastructure.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →