Business Continuity Planning

Two Plans, One Mission

Every organization will eventually face a disruption that exceeds normal incident response capability. When that happens, two related but distinct plans activate. Disaster recovery gets the technology running again. Business continuity keeps the organization functioning while that recovery happens — and sometimes long after.

The distinction matters on the exam. DRP is focused on restoring IT systems and infrastructure to a functional state. BCP is broader: it addresses the continuity of business processes, people, facilities, communications, and supply chains. A recovered server with no staff to operate it, no facility to house the team, and no way to reach customers is a technical success and a business failure.

Business continuity planning answers a question that disaster recovery cannot: how does the organization continue to serve its mission while recovery is underway?

BCP vs. DRP: The Relationship

These two disciplines overlap, and exam questions often test whether you understand the boundaries:

• BCP scope — All business functions, not just IT. Includes manual workarounds, alternate work locations, communication plans, supply chain alternatives, and staff availability.
• DRP scope — IT systems and infrastructure recovery. Focuses on restoring technology services to meet RTO and RPO targets defined by the BIA.
• Relationship — DRP is a component within BCP. The business continuity plan relies on disaster recovery for technology restoration but extends well beyond it.
• Ownership — BCP is a business responsibility owned by senior management. DRP is typically owned by IT, operating within the parameters set by the BCP.

When the exam presents a scenario where technology is restored but the business is still unable to operate, the gap is in BCP, not DRP.

The BCP Lifecycle

Business continuity planning follows a lifecycle that begins with understanding the business and ends with continuous improvement:

1. Project initiation — Secure management commitment, define scope, appoint the BCP coordinator, and establish the governance structure. Without executive sponsorship, the program will stall at the first budget request.
2. Business Impact Analysis (BIA) — Identify critical business functions, determine their dependencies, and quantify the impact of disruption over time. The BIA drives every subsequent decision.
3. Strategy development — Select recovery and continuity strategies for each critical function based on BIA findings, risk tolerance, and budget constraints.
4. Plan development — Document procedures, assign responsibilities, establish communication protocols, and define activation criteria.
5. Testing and exercises — Validate the plan through progressive testing (covered in Module 54).
6. Maintenance and review — Keep the plan current through regular reviews, change-triggered updates, and post-incident analysis.

Business Impact Analysis

The BIA is the foundation of business continuity. It answers two questions: what are the most important business functions, and how quickly must they be restored?

Quantitative BIA Methods

Quantitative analysis assigns dollar values to losses. The key formulas:

• Single Loss Expectancy (SLE) = Asset Value × Exposure Factor. The expected monetary loss from a single occurrence of a threat.
• Annualized Rate of Occurrence (ARO) = How many times per year the threat is expected to materialize.
• Annualized Loss Expectancy (ALE) = SLE × ARO. The expected annual cost of a specific risk. This is the number that justifies continuity investments to the board.

Quantitative analysis works well for risks with historical data and measurable financial impact. It provides the financial justification executives need to approve continuity budgets.

Qualitative BIA Methods

Qualitative analysis uses ratings, categories, and expert judgment rather than precise dollar figures. It addresses impacts that are difficult to quantify:

• Reputational damage from extended service outages
• Regulatory confidence and relationship with supervisory bodies
• Employee morale and retention during prolonged disruptions
• Competitive positioning and market perception

Most organizations use a hybrid approach: quantitative for financial impacts, qualitative for reputational and strategic impacts.

Critical Business Function Identification

The BIA must identify which functions are mission-critical. Not all functions have equal priority. The process involves:

• Interviewing business unit leaders to understand function dependencies
• Mapping upstream and downstream dependencies (a function may not seem critical until you realize three other critical functions depend on it)
• Determining Maximum Tolerable Downtime (MTD) for each function
• Setting Recovery Time Objectives (RTO) within the MTD window
• Setting Recovery Point Objectives (RPO) based on acceptable data loss

Continuity Strategy Selection

Once the BIA identifies critical functions and their recovery requirements, the organization must select appropriate continuity strategies. The strategy must be proportional to the function’s criticality and the cost of downtime.

• Redundant systems — For functions with near-zero MTD, active-active configurations or hot standby systems provide immediate failover.
• Alternate processing sites — Hot, warm, and cold sites provide varying levels of readiness at different cost points.
• Manual workarounds — For some functions, temporary manual processes can bridge the gap while systems recover. These must be documented and tested.
• Alternate work arrangements — Remote work capability, reciprocal agreements with partner organizations, or pre-arranged temporary office space.
• Third-party services — Cloud-based disaster recovery as a service (DRaaS), managed recovery providers, or contractual arrangements with service providers.

The correct strategy matches the RTO and RPO requirements from the BIA while staying within an acceptable cost range. An expensive hot site for a function that can tolerate 72 hours of downtime is wasted money. A cold site for a function with a 2-hour RTO will fail.

Plan Documentation and Governance

A business continuity plan is a living document, not a one-time deliverable. Effective plan documentation includes:

• Activation criteria — Clear conditions under which the plan is activated. Ambiguity here causes delays when every minute counts.
• Roles and responsibilities — Named individuals with alternates for every critical role. The plan must work even if the primary person is unavailable.
• Communication protocols — How to reach recovery team members, management, employees, customers, vendors, regulators, and media. Include out-of-band communication methods in case primary channels are affected.
• Recovery procedures — Step-by-step instructions that can be followed by someone who was not involved in writing them. Assume the person reading the plan is under stress.
• Resource requirements — What is needed to execute each procedure: people, equipment, access credentials, vendor contacts, and financial resources.

BCP Governance

The program requires sustained governance to remain effective:

• Executive sponsor — A senior leader who champions the program, approves budgets, and holds business units accountable for participation.
• BCP coordinator — The person responsible for day-to-day program management, testing schedules, and plan maintenance.
• Business unit owners — Each unit is responsible for maintaining its portion of the plan and ensuring staff are trained on continuity procedures.
• Regular review cycle — Scheduled reviews plus event-triggered updates ensure the plan reflects current reality.

Supply Chain Continuity

Modern organizations depend on suppliers, vendors, and partners for critical functions. A disruption at a sole-source supplier can halt operations as effectively as an internal disaster.

Supply chain continuity planning includes:

• Identifying single points of failure in the supply chain
• Qualifying alternate suppliers before a disruption occurs
• Including key vendor contact information and escalation paths in the BCP
• Contractual requirements for vendor BCP programs and notification obligations
• Maintaining safety stock for critical materials where feasible

Pandemic and Public Health Continuity

Pandemic planning addresses disruptions that affect people rather than infrastructure. Traditional BCP assumes facilities and systems may be unavailable. Pandemic planning assumes the opposite: facilities may be fine, but staff cannot or should not come to them.

Key considerations include:

• Workforce availability — Planning for 30-50% absenteeism over extended periods
• Remote work at scale — Technology, security, and management capability for mass remote operations
• Cross-training — Ensuring critical functions can be performed by multiple people to handle rolling absences
• Extended duration — Pandemic disruptions last months, not days. Plans must address sustained operations under degraded conditions.
• Life safety priority — Employee health takes precedence over operational continuity. Plans that endanger personnel to maintain operations are both unethical and unsustainable.

Pattern Recognition

BCP questions on the CISSP follow these patterns:

• BIA timing — The BIA must come before strategy selection. When a question describes continuity investments made without a BIA, the investment is likely misaligned with actual business priorities.
• BCP vs. DRP confusion — When the scenario describes a technology recovery that succeeds but the business remains disrupted, the gap is in BCP scope.
• Management commitment — When a BCP program lacks funding, participation, or updates, look for the missing executive sponsor.
• Plan currency — When a plan fails during activation, the first question is whether it was maintained and tested after organizational changes.

Trap Patterns

Watch for these wrong answers:

• “BCP is an IT responsibility” — BCP is a business responsibility. IT contributes the disaster recovery component, but business continuity spans the entire organization.
• “Start with strategy selection” — Without a BIA, you do not know which functions are critical or what their recovery requirements are. Strategy without BIA is guessing.
• “The plan is complete once documented” — Documentation is one step in the lifecycle. Without testing, training, and maintenance, the plan degrades from day one.
• “Focus continuity spending on the most expensive systems” — Cost of the system does not determine criticality. A low-cost application that supports the highest-revenue business function may deserve more continuity investment than the most expensive server in the data center.

Scenario Practice

Question 1

A manufacturing company’s BIA identifies order processing as its most critical function with an MTD of 4 hours. The IT team has implemented a hot site for the order processing database with a 1-hour RTO. However, during a recent power outage, the order processing staff had no alternate workspace and could not access the recovered systems for 12 hours.

What was the PRIMARY failure?

A. The hot site RTO was too slow for the MTD requirement
B. The IT disaster recovery plan failed to restore systems properly
C. The business continuity plan did not address alternate workspace for the order processing team
D. The BIA incorrectly identified order processing as the most critical function

Question 2

A BIA for a financial services firm calculates the following for its trading platform: Asset Value = $10 million, Exposure Factor for a complete outage = 40%, and the platform experiences an average of 0.5 complete outages per year.

What is the ALE, and how should this figure be used?

A. ALE = $4 million; this is the maximum the firm should spend on the trading platform annually
B. ALE = $2 million; this justifies continuity investments up to $2 million annually for this specific risk
C. ALE = $5 million; this requires immediate platform replacement
D. ALE = $2 million; this means the firm will definitely lose $2 million next year

Question 3

An organization’s BCP was developed three years ago with strong executive support. Since then, the executive sponsor retired, the BCP coordinator moved to a different department, and no replacement was named for either role. The plan has not been reviewed or tested in two years.

What is the MOST significant risk?

A. The plan’s procedures are technically outdated
B. The organization has no governance structure to maintain, test, or activate the plan when needed
C. Employees have forgotten their assigned recovery roles
D. Regulatory auditors will issue a finding for lapsed testing

Key Takeaway

Business continuity planning is a management discipline, not a technical project. The BIA drives everything — without it, recovery priorities are opinions rather than evidence. BCP extends beyond IT recovery to encompass people, processes, facilities, supply chains, and communications. On the exam, when a scenario shows technology restored but operations still down, the answer points to BCP. When a program exists on paper but has no executive sponsor, no testing, and no updates, the answer points to governance. And always remember: the plan that works is the one that was funded, tested, maintained, and owned by the business.