[12] Business Continuity Planning (BCP)
By:
Prasanna
|
๐ Topic: Business Continuity Planning (BCP)
Domain: D7 โ Security Operations
Tags: #cissp
๐งพ Definition
Business Continuity Planning defines how critical business functions continue during and after a disruptive event. It extends beyond IT to include people, processes, communications, and facilities.
๐ Key Points
- BCP starts with a business impact analysis and identification of critical services.
- Recovery objectives such as RTO and RPO guide planning decisions.
- Continuity strategies should cover alternate sites, communications, staffing, and supplier dependencies.
- Testing, training, and maintenance are essential for effectiveness.
โ ๏ธ CISSP Insight
- CISSP candidates should understand that continuity planning is a business governance activity, not just a technical recovery exercise.
- Preparation should focus on protecting essential operations and customer impact.
โ๏ธ Key Difference / Trap
- BCP vs DRP
- BCP = business-wide continuity of operations
- DRP = technical restoration of systems
- Plans that are not tested are not reliable
- Exercises expose gaps and assumptions
๐๏ธ Example
A company uses alternate work locations, backup communications, and recovery procedures to continue payroll processing after a major outage.
๐ References
- NIST SP 800-34, Contingency Planning Guide for Federal Information Systems
- ISO 22301, Security and resilience โ Business continuity management systems
- ISO/IEC 27001:2022
๐ Quick Recall
- BCP = keep business running
- DRP = restore systems