FAQGlobalISO 22301

ISO 22301 FAQ RTO

How should teams set recovery time objectives under ISO 22301?

Use the business impact analysis to set realistic recovery targets for prioritized activities, then prove them with resources, dependencies, exercises, and review records.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
5

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

An RTO is not a guess from IT or a promise copied from a contract. Under ISO 22301, the recovery time objective should come from the business impact analysis: identify activities that support products and services, assess impact over time, find the point where disruption becomes unacceptable, and set a shorter prioritized timeframe for resuming the activity at a minimum acceptable capacity.

Search this module

Find a question or answer quickly

5 of 5 questions
Question 1

What does RTO mean in ISO 22301?

RTO means recovery time objective: the target timeframe for resuming a disrupted activity at a specified minimum acceptable capacity. ISO 22301 places it inside the business impact analysis, after the organization has assessed impacts over time and identified the maximum tolerable period of disruption.

The RTO should normally sit inside the MTPD, not equal it by default. MTPD is the point where the impact of not resuming becomes unacceptable; the RTO is the operational target that gives the organization time to recover before that outer limit is reached.

  • Define the product or service that depends on the activity.
  • Identify the prioritized activity and the minimum acceptable capacity after disruption.
  • Set the RTO within the MTPD and document the assumptions behind it.
  • Assign an accountable owner who can fund and maintain the recovery capability.
Citations
Question 2

How should the BIA produce the RTO?

Start from impact, not from available technology. The BIA should define impact types and criteria, identify activities that support products and services, assess the impacts over time, and identify when not resuming the activity becomes unacceptable.

After that, set prioritized timeframes for resuming disrupted activities at minimum acceptable capacity. That is where the RTO belongs. The record should also identify the resources, partners, suppliers, and interdependencies required to meet the target.

  • Keep one RTO per prioritized activity or service dependency, not one generic RTO for the whole company.
  • Record the impact criteria used to justify the target, such as customer harm, financial loss, safety, regulatory commitments, or contractual commitments.
  • Link the RTO to required people, sites, applications, data, suppliers, workarounds, communications, and approval authority.
  • Capture any gap between the desired RTO and the current tested capability as a risk, exception, or corrective action.
Citations
Question 3

How is RTO different from RPO?

RTO is about time to restore service or activity capability. RPO is about how much information loss is tolerable. A service can have a short RTO and a longer RPO, or the opposite, depending on the business impact and data requirements.

For example, a customer portal might need to be usable within a few hours, while some reporting data can be restored to the last completed batch. A payment, safety, clinical, or operational-control process might need both a short RTO and a strict RPO. The BIA should make that distinction explicit.

  • Use RTO to size recovery sites, failover design, staffing, supplier response, and manual workarounds.
  • Use RPO to size backup frequency, replication, transaction logging, reconciliation, and data recovery testing.
  • Do not treat backup success as proof of RTO; backup evidence usually proves only part of the recovery capability.
  • When RTO and RPO conflict with budget or supplier capability, record the accepted risk or approved improvement plan.
Citations
NIST SP 800-53 Rev. 5

NIST contingency controls distinguish recovery time and recovery point objectives for alternate storage, alternate processing, backups, and recovery.

Question 4

What evidence shows the RTO is achievable?

A target is not enough. Evidence should show that the strategy, plan, resource model, supplier dependency, and exercise results can actually support recovery within the RTO and agreed capacity.

Useful evidence includes the BIA record, approved recovery strategy, continuity plan, dependency map, resource requirements, supplier commitments, exercise scenario, post-exercise report, corrective actions, and management review decisions.

  • Test the end-to-end recovery path, including activation, people, access, data restoration, supplier response, communications, and stand-down.
  • Record actual recovery times from exercises and incidents instead of only recording that a test occurred.
  • Tie missed RTOs to corrective actions with owners and due dates.
  • Use management review to decide whether the RTO, strategy, budget, supplier contract, or plan needs to change.
Citations
ISO 22301:2019 standard page

ISO 22301 requires exercising, testing, evaluating, and improving business continuity strategies, solutions, plans, and procedures.

NIST SP 800-53 Rev. 5

NIST recovery controls support aligning alternate sites, backups, and recovery capabilities with recovery time and recovery point objectives.

Recommended next step

Operationalize ISO 22301 RTO evidence

Use this ISO 22301 RTO FAQ to assign owners, connect BIA records to recovery strategies, test real recovery paths, and keep missed targets visible as corrective actions.

Assessment workflow
Open Assessment Autopilot for ISO 22301

Convert RTO decisions into accountable evidence requests, exercise checks, and review checkpoints.

Explore next step
Talk to Sorena
Talk through implementation

Review your BIA, recovery targets, supplier dependencies, and current recovery evidence.

Explore next step
Question 5

When should an RTO be reviewed or changed?

Review RTOs at planned intervals and whenever the organization, service, supplier, technology, legal context, customer commitment, or disruption experience changes. ISO 22301 ties BIA and risk assessment review to planned intervals and significant changes.

The most common failure is leaving the RTO unchanged after the business changes. A new customer promise, cloud architecture, supplier dependency, product launch, staffing model, or exercise failure can all make the previous target unrealistic or too weak.

  • Review after incidents, activations, failed tests, supplier changes, infrastructure changes, and major product or service changes.
  • Update RTOs when impact criteria, minimum acceptable capacity, MTPD, dependencies, or resources change.
  • Escalate unresolved capability gaps to risk acceptance, corrective action, budget planning, or management review.
  • Keep a change history so auditors and service owners can see why each RTO was set or revised.
Citations
Primary sources

References and citations

ENISA NIS2 technical implementation guidance
doi.org
Referenced sections
  • Supports operational testing and monitoring of successful and failed recovery objectives in cybersecurity continuity planning.
"successful and failed RTOs"
ISO 22301:2019 standard page
iso.org
Referenced sections
  • ISO 22301 requires exercising, testing, evaluating, and improving business continuity strategies, solutions, plans, and procedures.
"Business continuity management systems - Requirements"
ISO 22313:2020 guidance standard page
iso.org
Referenced sections
  • Supports maintaining and improving the BCMS over time, including review and update of continuity arrangements.
"maintain and improve a BCMS"
ISO/IEC 27002:2022 standard page
iso.org
Referenced sections
  • Supports BIA-derived ICT continuity requirements, including RTOs for prioritized activities and supporting ICT resources.
"Information security controls"
NIST SP 800-53 Rev. 5
doi.org
Referenced sections
  • NIST recovery controls support aligning alternate sites, backups, and recovery capabilities with recovery time and recovery point objectives.
"Organizations establish recovery time objectives"
Related guides

Explore more topics

ISO 22301 Audit Readiness and Certification Evidence
Prepare ISO 22301 BCMS audit evidence for scope, BIA, risk assessment, objectives, exercises, internal audit, management review, corrective actions, and retained documented information.
ISO 22301 BCMS Requirements: Clauses 4-10
A practical ISO 22301 requirements guide for BCMS scope, leadership, planning, support, operation, BIA, risk assessment, continuity strategies, plans, exercises, audits, management review, corrective action, and evidence.
ISO 22301 BCMS Scope and Boundaries
Define an ISO 22301 BCMS scope that names the organization, products and services, sites, dependencies, outsourced processes, exclusions, interfaces, evidence, and review triggers.
ISO 22301 BIA to Recovery Strategy Workflow
Turn ISO 22301 business impact analysis into recovery priorities, continuity strategies, solutions, exercises, and audit-ready evidence.
ISO 22301 Business Continuity Strategy and Solutions
Build ISO 22301 business continuity strategies and solutions from BIA outputs, recovery objectives, resource needs, supplier dependencies, exercises, and evidence records.
ISO 22301 Business Impact Analysis FAQ
Practical ISO 22301 BIA FAQ covering prioritized activities, impact criteria, MTPD, RTO, RPO, dependencies, resources, strategy handoff, evidence, and review triggers.
ISO 22301 Business Impact Analysis Template
Build an ISO 22301 business impact analysis template that captures activities, impacts over time, MTPD, RTO, dependencies, resource needs, evidence, review cadence, and continuity-strategy handoff.
ISO 22301 Certification Evidence Checklist
A practical ISO 22301 certification evidence checklist for BCMS scope, BIA, risk assessment, continuity plans, exercises, audits, management review, and corrective actions.
ISO 22301 Certification Evidence FAQ
FAQ guidance on ISO 22301 certification evidence: BCMS scope, documented information, BIA, risk assessment, exercises, internal audit, management review, and corrective action.
ISO 22301 Compliance Guide | BCMS Requirements
Build ISO 22301 compliance evidence across BCMS scope, leadership, BIA, risk assessment, continuity strategies, plans, exercises, audit, management review, and corrective action.
ISO 22301 FAQ: BCMS, BIA, MTPD, RTO and Audit Evidence
Practical ISO 22301 FAQ for business continuity teams: BCMS scope, BIA, MTPD, RTO, RPO, strategies, exercises, audits, management review, and certification evidence.
ISO 22301 Management Review FAQ
What ISO 22301 management review should cover: inputs, outputs, decisions, evidence, improvement actions, and ownership for BCMS leadership reviews.
ISO 22301 MTPD FAQ
How ISO 22301 teams should define MTPD in the business impact analysis, separate it from RTO and RPO, and keep recovery evidence current.
ISO 22301 Recovery Strategies FAQ
Practical ISO 22301 FAQ on selecting recovery strategies from BIA, risk assessment, prioritized activities, resource needs, exercises, and review evidence.
ISO 22301 RPO FAQ: Recovery Point Objectives
How to set, evidence, test, and review recovery point objectives in an ISO 22301 business continuity management system.
ISO 22301 Testing and Exercises Guide
Plan, run, evidence, and improve ISO 22301 business continuity exercises that validate strategies, plans, RTOs, MTPDs, communication procedures, and corrective actions.
ISO 22301 Testing Exercises FAQ
How ISO 22301 teams should plan, run, evidence, and improve business continuity exercises and tests.
ISO 22301 vs DORA: BCMS And Digital Operational Resilience
Compare ISO 22301 business continuity management with DORA digital operational resilience for financial entities, ICT risk, incidents, testing, third-party risk, and reusable evidence.
ISO 22301 vs ISO/IEC 27001: BCMS and ISMS Comparison
Compare ISO 22301 business continuity management with ISO/IEC 27001 information security management: scope, risk work, evidence, certification boundaries, overlap, and common mistakes.