Domain 7 of 8 · Chapter 13 of 15

Business Continuity Planning

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The continuity lifecycle and where BC planning sits
  • BCP, DRP, and the system contingency plan
  • Exercising the plan: testing, training, and exercises
  • Maintenance, distribution, and version control
  • Exam-pattern recognition

Continuity vs. recovery plans: scope and relationship (NIST SP 800-34)

AspectBusiness Continuity Plan (BCP)Disaster Recovery Plan (DRP)Information System Contingency Plan (ISCP)
Primary focusSustain mission/business processesRestore IT at an alternate siteRecover a specific system
What it protectsThe business (people, processes, IT, facilities)Facility/system infrastructure after relocationOne target system, any location
Triggered byAny significant business disruptionMajor, usually physical disaster requiring relocationA system disruption (site-independent)
RelationshipUmbrella plan; coordinates the othersSubset of the BCP; site-specificMay support a DRP; not tied to a site
Owned atBusiness/organization levelIT recovery levelSystem level

Cheat sheet

  • The BCP is the umbrella that keeps the business running; the DRP is its IT subset
  • Continuity planning protects the business; contingency planning protects the systems
  • BCP is a recurring program, and authoring the plan is its midpoint, not its end
  • A plan is a living document that must be reviewed on a cadence and on significant change
  • Testing, training, and exercises are three distinct activities, not synonyms
  • A tabletop exercise is discussion-based only; a functional exercise has staff perform their duties
  • An unexercised plan is an untested assumption, so exercising surfaces the gaps
  • Train recovery personnel at least annually, and new appointees shortly after appointment
  • Store a plan copy at the alternate site and with the backup media so it survives the disaster
  • Mark and control distribution because the plan holds sensitive information
  • Enforce strict version control by recalling old plan pages when new ones are issued
  • Run the BIA before choosing recovery solutions or sites
  • The ISCP recovers one system regardless of site; the DRP is site-specific relocation
  • Document every exercise in an after-action report and feed lessons learned back into the plan

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. NIST SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems Whitepaper
  2. Disaster Recovery of Workloads on AWS: Business Continuity Plan (BCP)