Cyber Security

RPO (Recovery Point Objective)

A Recovery Point Objective (RPO) is defined by business continuity planning. It is the maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident.

If RPO is measured in minutes (or even a few hours), then in practice, off-site mirrored backups must be continuously maintained – a daily off-site backup on tape will not suffice.

Relationship to Recovery Time Objective (RTO)

Recovery that is not instantaneous will restore data/transactions over a period of time; the goal is to do so without incurring significant risks or significant losses.

RPO measures the maximum time period in which recent data might have been permanently lost in the event of a major incident; it is not a direct measure of the quantity of such loss. For instance if the BC plan is “restore up to last available backup”, the RPO is the maximum interval between such backup that has been safely vaulted offsite.

Business impact analysis is used to determine RPO for each service – RPO is not determined by the existent backup regime. When any level of preparation of off-site data is required, the period during which data might be lost often starts near the time of the beginning of the work to prepare backups, not the time the backups are taken off-site.

Related Articles