Recovery Time Objective (RTO) is the maximum acceptable time that a system, application, or process can be unavailable after a disruption. If the RTO for email is four hours, the disaster recovery plan must restore email service within four hours of an outage. RTOs are derived from business impact analysis based on tolerance for downtime.
Different systems have different RTOs based on criticality. A stock trading platform might have an RTO of minutes, while a document archive might tolerate days. RTO directly influences recovery strategy choices and technology investments.
CISSP Relevance
RTO is essential to Domain 1 (Security and Risk Management) discussions of business continuity and disaster recovery. Understand how BIA determines RTO, how RTO influences site selection and technology choices, and the relationship between RTO and cost—shorter RTOs require more expensive solutions.
NIST discusses RTO in SP 800-34 Contingency Planning Guide.
Related terms: Recovery Point Objective, Disaster Recovery