Do you have validated recovery time objectives (RTO) for your top critical systems?
Demonstrate that the organization has identified critical systems, defined board-approved recovery time objectives for each, and validated through testing that those objectives are achievable.
Description
What this control does
This control validates that the organization has established, documented, and tested Recovery Time Objectives (RTO) for systems classified as mission-critical or business-essential. RTOs define the maximum acceptable downtime before unacceptable business impact occurs. Validated RTOs require formal approval from business stakeholders, documentation in disaster recovery plans, and evidence of actual recovery performance testing against these targets. Without validated RTOs, recovery prioritization during incidents becomes arbitrary and may not align with business continuity requirements.
Control objective
What auditing this proves
Demonstrate that the organization has identified critical systems, defined board-approved recovery time objectives for each, and validated through testing that those objectives are achievable.
Associated risks
Risks this control addresses
- Extended outages of critical systems exceed business tolerance thresholds causing revenue loss, regulatory violations, or safety incidents
- Recovery teams prioritize less-critical systems during incident response due to lack of documented criticality and RTO baselines
- Disaster recovery runbooks and technical procedures fail to meet stakeholder expectations because RTOs were never formally agreed upon
- Resource allocation for backup infrastructure and redundancy is insufficient to meet unstated or assumed recovery timeframes
- Ransomware or destructive malware attacks result in prolonged outages because recovery capabilities were never tested against time constraints
- Regulatory penalties or litigation arise when critical services remain unavailable beyond commitments made to customers or regulators
- Business continuity plans prove unexecutable during actual disasters because technical recovery speeds were never validated against business requirements
Testing procedure
How an auditor verifies this control
- Obtain the current business impact analysis or asset inventory that identifies systems classified as critical or mission-essential
- Request documented recovery time objectives for each critical system, including the date of last review and business owner approval signatures
- Select a sample of 5-7 critical systems spanning different business functions and technology platforms for detailed examination
- Review disaster recovery plans, runbooks, and technical procedures to confirm RTO targets are explicitly documented for sampled systems
- Obtain records of recovery testing, failover drills, or tabletop exercises conducted within the past 12 months for sampled systems
- Compare actual recovery times achieved during tests against documented RTO targets to verify objectives were met or that remediation plans exist for gaps
- Interview business owners and recovery team members to confirm awareness of RTOs and validate that documented objectives reflect current business requirements
- Verify that RTO validation failures or near-misses triggered corrective actions such as infrastructure upgrades, process changes, or RTO adjustments