Business Continuity Criteria in data backups: RTO, RPO and MTPD

Returning from data backups or replication after a possible disaster is everyone’s primary plan. However, here the “Time” factor comes to the fore. It is of great importance how long the backup takes the replication and how long it can return. Therefore, RTO, RPO, and MTPD processes are critical processes.

What is Recovery Time Objective (RTO)?

The Recovery Time Objective (RTO) defines the period of time following disruption that the organisation aims to recover or resume its activities, production or service provision. In other words, it is the return time from the Backup. RTO with ISO 22301 Definition; The time to restart the Product or service, to restart the Activity, and to recover Resources, following an incident of the breach.

The backup method, backup environment and hardware play an effective role in this process, the Recovery Time should be shorter than the defined period of disruption. The RTO may be different for each threat or risk you envision.

What is Recovery Point Objective (RPO)?

The Recovery Point Objective (RPO) defines the point to which information used by an activity must be restored to enable the activity to operate on resumption. RPO is the time period between the time of the Disaster and the time when the last backup or replication is provided. Since the data within this period cannot be reached, it carries a very high risk.

For example, let’s assume that you take backup at 02:00 every night, if your system fails at 11:00 during the day, you will have a loss of 9 hours.

If you only take 1 backup per day, your maximum RPO is 24 hours. This is very risky in critical systems.

What is the Maximum Tolerable Period of Disruption (MTPD)?

Maximum Tolerable Period of Disruption or MTPD is the maximum allowable time that the organization’s key products or services is made unavailable or cannot be delivered before its impact is deemed as unacceptable. The time-period that could be endured as a result of disruption before being deemed unacceptable. From the point that disruption occurs, it may be possible to continue operating, but the service levels may not be as high as you normally operate.

If the possible downtime exceeds the defined MTPOD value, the institution suffers serious damage. The damage can be financial or corporate reputation.