Disaster Recovery: RTO & RPO

10 Feb

“Disaster recovery is the process by which you resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Centre-or something small, like malfunctioning software caused by a computer virus.” [1] Essentially, as already touched on by most of the other bloggers here, disaster recovery is completely focused on the IT systems that help to support a business’ core functions.

Two of the most important aspects of Disaster Recovery are Recovery Time Objective (RTO) and Recovery Point Objective (RPO).  Take for example a company that uses only tape as its backup and does a backup every night – if this company were to lose mass amounts of data, it would take a certain amount of time to go and actually get the tape, bring it back, restore its server and subsequently restore the data. The amount of time it takes to complete these tasks is known as the RTO, i.e. the amount of time it takes to bring a server back to where it was before the disaster struck.

For the same company, if they backed up their data religiously at midnight every night and the disaster happened at 4p.m. then the recovery point would be the previous night. There are however other ways of backing up so that firms can have a much shorter recovery point, i.e. every 20 minutes. This is known as the RPO.

It is however worth noting that the shorter both the RTO and the RPO, the more expensive it is to a business to implement that type of solution.

How can a firm know what type of plan is most appropriate for them? Typically, the more transactions a firm carries out, then the shorter the recovery time they will need. Most organisations tend to be willing to spend more on these solutions due to the huge amounts of money they stand to lose should their down-time be long.

What is the difference between the two? Dejan Kosutic [2] says that “The difference is in the purpose – RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency. They are not directly related – you could have RTO of 24 hours and RPO of 1 hour, or RTO of 2 hours and RPO of 12 hours.” But both are absolutely crucial for Business Continuity management – if they are not predetermined, then firms will just be guessing what to do when disaster strikes and “guessing is the best way to ensure you never recover from a disaster.” [2]

[1] http://www.csoonline.com/article/204450/business-continuity-and-disaster-recovery-planning-the-basics

[2] http://blog.iso27001standard.com/2012/01/30/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: