Backup policy with RPO/RTO defined
Demonstrate that the organization has documented RPO and RTO targets for critical systems, implemented backup procedures that meet or exceed these objectives, and validated that backup operations consistently achieve the defined recovery parameters.
Description
What this control does
This control requires the organization to define and document Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for critical systems and data assets, establish backup procedures aligned to these objectives, and ensure backups are performed at frequencies sufficient to meet the defined RPO. RPO defines the maximum acceptable data loss measured in time (e.g., 4 hours), while RTO defines the maximum acceptable downtime before systems must be restored. The policy must map backup schedules, retention periods, and restoration capabilities to business criticality tiers and continuity requirements.
Control objective
What auditing this proves
Demonstrate that the organization has documented RPO and RTO targets for critical systems, implemented backup procedures that meet or exceed these objectives, and validated that backup operations consistently achieve the defined recovery parameters.
Associated risks
Risks this control addresses
- Prolonged business disruption following ransomware attack due to insufficient backup frequency causing unacceptable data loss beyond stakeholder tolerance
- Inability to meet contractual service level agreements or regulatory recovery requirements following system failure or disaster event
- Recovery operations exceeding acceptable timeframes because backup architecture (storage location, bandwidth, restoration procedures) was not designed to meet RTO commitments
- Critical business data loss during the window between last successful backup and incident occurrence when RPO is undefined or backup frequency is inadequate
- Misalignment between business continuity plans and technical backup capabilities leading to unrealistic recovery expectations during actual incidents
- Compliance violations when industry-specific regulations mandate specific recovery timeframes but backup procedures cannot support those requirements
- Resource contention and extended recovery times when multiple systems require simultaneous restoration but priorities and sequencing were not defined based on RTO requirements
Testing procedure
How an auditor verifies this control
- Obtain the current backup policy document and identify all documented RPO and RTO targets for systems and data classifications.
- Request the business impact analysis (BIA) or system criticality inventory that maps systems to recovery objectives.
- Select a sample of critical systems spanning different criticality tiers and verify each has explicit RPO and RTO assignments.
- Review backup configuration settings (schedule frequency, retention periods, backup windows) for sampled systems and compare against their documented RPO requirements.
- Examine backup job logs for the past 90 days for sampled systems to verify backup frequency consistently meets or exceeds the RPO (e.g., if RPO is 4 hours, backups must occur at least every 4 hours).
- Review evidence of at least one restoration test per sampled system within the past 12 months and measure actual restoration time against documented RTO.
- Interview backup administrators and system owners to confirm they understand the RPO/RTO requirements for systems under their responsibility and how backup schedules support these objectives.
- Verify that the policy includes escalation procedures and approval requirements when backup operations fail or when RPO/RTO targets cannot be met due to technical or operational constraints.
Where this control is tested