← Glossary·Risk

RTO / RPO

SOC 2ISO 27001HIPAA

RTO = time to restore service after disruption. RPO = max acceptable data loss measured in time.

Recovery Time Objective (RTO) is the maximum tolerable duration for restoring a service after a disruption. Recovery Point Objective (RPO) is the maximum tolerable amount of data loss, measured in time prior to disruption. Both are set per system in the Business Impact Analysis (BIA).

Why it matters
Declaring RTO = 1 hour with nightly backups (RPO = 24h) and no high-availability setup is a contradiction auditors spot immediately.

Related terms

Business Continuity & Disaster Recovery (BC/DR)
Tested plans to maintain or restore operations after disruptive events; measured by RTO/RPO.
Incident Response (IR)
Documented, tested process for detecting, containing, eradicating, and recovering from security incidents.

Does your program actually cover RTO / RPO?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary