Recovery Time Objective (RTO)
What is Recovery Time Objective (RTO)?
Recovery Time Objective (RTO)The maximum acceptable duration that a business process or system can be unavailable after a disruption before unacceptable consequences occur.
RTO is a business-driven target set during business impact analysis: how quickly a service must be restored to avoid material harm. It drives the design of backup frequency, failover architectures, hot/warm/cold-site strategies, and the level of automation in disaster-recovery runbooks. RTO is paired with RPO (acceptable data loss) and informs investment in clustering, replication and immutable backups. RTO must be measurable and tested through regular DR exercises; actual MTTR is compared to RTO to validate readiness and to identify single points of failure or process gaps that put critical services at risk.
● Examples
- 01
Setting a 1-hour RTO for the payments gateway and 24 hours for an internal HR portal.
- 02
Failing a DR exercise because actual MTTR was 6 hours against a 2-hour RTO.
● Frequently asked questions
What is Recovery Time Objective (RTO)?
The maximum acceptable duration that a business process or system can be unavailable after a disruption before unacceptable consequences occur. It belongs to the Defense & Operations category of cybersecurity.
What does Recovery Time Objective (RTO) mean?
The maximum acceptable duration that a business process or system can be unavailable after a disruption before unacceptable consequences occur.
How do you defend against Recovery Time Objective (RTO)?
Defences for Recovery Time Objective (RTO) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Recovery Time Objective (RTO)?
Common alternative names include: Recovery time target, RTO target.