Disaster Recovery for SMEs: RPO/RTO in plain English (and what CE+ expects)
Lewis Thomson
•
10 Oct 2025
•
Business Continuity and Disaster Recovery
Downtime isn’t a mystery — it’s maths.
Your RPO (how much data you can afford to lose) and RTO (how fast you must be back) decide your tooling and your cost. Here’s a practical DR plan for Microsoft 365, key servers, and SaaS apps that keeps you Cyber Essentials Plus (CE+) aligned and board-ready.
Define RPO/RTO by workload
Set targets per system — not “one size fits all.”
Workload | Typical RPO | Typical RTO | Notes |
|---|---|---|---|
Email (M365) | 4–8 hours | 4 hours | Mail flow + mailbox restore; test quarterly |
Finance/ERP | 15–30 mins | 1–2 hours | Transaction integrity; prioritise |
Files/SharePoint | 2–4 hours | 4 hours | Recover sites + permissions |
Line-of-Business app | 1 hour | 2–4 hours | Include DB + app tier |
Identity (Entra) | N/A | 30 mins | Without identity, nothing else restores |
Tip: If every RTO is “1 hour,” budget will explode. Prioritise.
SaaS ≠ backup (test restores monthly)
Microsoft 365/Google Workspace retention is not a backup. Use a third-party SaaS backup (mail, OneDrive/Drive, SharePoint/Teams), set retention, and perform a test restore every month. Record: what, how long, who signed off.
Servers: image-based backup + cloud recovery
For on-prem or IaaS servers, take image-level backups with off-site copies and a cloud recovery option. Quarterly test: spin up the system from backup, validate app login/data, capture timings (RTO reality).
Identity first (or nothing recovers)
Restore Entra ID settings before apps:
Break-glass accounts (tested)
MFA methods & Conditional Access baselines
Role assignments and PIM
App registrations/secrets (vaulted)
If identity is down, your restore will stall.
Tabletop every 90 days
Run a 60-minute scenario drill:
Who declares the incident?
Who talks to insurers/clients/regulators? (note notification windows)
Who owns the runbook and cutover decision?
Comms templates ready (email/social/website status)
Outcome: update the runbook and owners.
Evidence pack (CE+-friendly)
Maintain an audit trail:
Last SaaS test restore: item, duration, sign-off
Last server recovery: boot, app check, timings
RPO/RTO matrix (approved by business owner)
Identity recovery steps tested (break-glass, MFA)
Backup job success rates + alerting proofs
Change log for DR runbook (versioned)
What we include (scope clarity)
24/7 monitoring + auto-remediation; business-hours helpdesk (08:30–17:00, Mon–Fri)
SaaS backup for M365/Google Workspace
Server backups and quarterly restore testing
Identity-first recovery plan (Entra)
30-day DR test schedule to lift confidence fast
Next step
Book a 20-min Security Fit Call — we’ll map your RPO/RTO by workload and give you a 30-day DR test schedule you can run immediately.
©️ 2025 Infinite Cloud IT, Brighton, U.K.