BCM-003 RTO and RPO Definitions
Description
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined for each critical service and system. RTOs and RPOs are formally agreed with business owners, documented in the BCP and DRP, and communicated to relevant teams. Objectives are validated against contractual and regulatory commitments.
Rationale
Without agreed RTO/RPO targets, recovery efforts lack measurable goals. Defined and communicated objectives enable planning, testing, and SLA management.
Framework Mappings (4)
| BCR-02 | Risk Assessment and Impact Analysis | full |
| BCR-03 | Business Continuity Strategy | partial |
| 5.30 | ICT readiness for business continuity | partial |
| CP-2 | Contingency Plan | partial |
Evidence (2)
RTO and RPO definitions for each critical service, formally agreed with business owners and documented in the BCP and DRP.
Example: Service recovery objectives register or BCP annex listing each critical service with its agreed RTO, RPO, approving business owner, and date of last review
Test: Request the RTO/RPO register and compare against the BCP and DRP. Verify: (1) RTOs and RPOs are defined for all services listed in the critical service register; (2) each objective is signed off by a named business owner; (3) values are consistent between the register, BCP, and DRP; (4) objectives are validated against any applicable contractual or SLA commitments.
Business continuity strategy or impact analysis document used as the basis for setting RTOs and RPOs, demonstrating objectives are derived from formal risk and impact assessment.
Example: Business Impact Analysis (BIA) report or BCM strategy document listing assessment outputs for each critical service, including maximum tolerable downtime and data loss tolerance, mapped to agreed RTO/RPO values
Test: Request the Business Impact Analysis or BCM strategy document. Verify: (1) a BIA or equivalent analysis was conducted; (2) the analysis covers all services in the critical service register; (3) RTO and RPO values in the register are traceable to outputs from the BIA; (4) the BIA was completed within the last defined review cycle.
Questions (2)
Are Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) formally defined for each critical service, agreed with business owners, and documented in the BCP and DRP?
RTOs and RPOs must be explicitly defined — not inferred from backup frequency or infrastructure configuration. Each objective should be signed off by a named business owner.
What is the defined RTO for your primary production service in the event of a full service outage?
The RTO should be consistent with contractual availability commitments and validated through DR testing. An undefined RTO indicates a gap in continuity planning.