Business Continuity Plan

What the Business Continuity Plan Covers

The Business Continuity Plan (BCP) is the enterprise-wide plan that keeps critical business processes functioning, or restores them quickly, when a major disruption strikes: a fire, flood, pandemic, extended power loss, supplier failure, or large cyber incident. It is deliberately broader than the Disaster Recovery Plan (DRP), which focuses on restoring IT systems. The BCP spans people, workspace, third-party dependencies, and customer communications.

The BCP is built directly on BIA outputs: the criticality ranking tells the organization which processes to resume first, and the recovery objectives (RTO, MTD, SDO) tell it how fast and at what service level. A common exam distinction:

The DRP is effectively a subset of the BCP. A scenario asking how to keep the call center serving customers when the building is inaccessible is a BCP question (alternate site, remote work, rerouted phones); a scenario about rebuilding the failed database cluster is a DRP question.

Invocation, Communication, and Maintenance

The BCP defines invocation criteria (who declares a continuity event and the thresholds that trigger it), the crisis communication plan (internal staff, customers, regulators, media, with a designated spokesperson), and the resumption and stand-down procedures for returning to normal operations once the threat passes.

Life Safety First

A non-negotiable CISM principle: the safety of personnel always takes priority over recovery of systems, data, or facilities. If an exam option offers evacuation and accounting for staff versus salvaging servers, choose people. This reflects both ethics and most legal duties of care.

Alternate Processing and Site Strategies

When continuity depends on relocating operations, the plan selects a site strategy whose cost matches the RTO:

• Hot site: Fully equipped, near-instant takeover. Highest cost; supports very short RTOs.
• Warm site: Partially equipped; needs configuration and data restore. Moderate cost and recovery time.
• Cold site: Space and utilities only; longest setup time. Lowest cost; suits long RTOs.
• Mirrored / reciprocal / cloud: Real-time redundancy or mutual-aid and cloud failover arrangements.

Maintenance Discipline

A BCP decays as the business changes, new processes, mergers, system migrations, staff turnover. ISACA expects scheduled review, version control, and regular testing; an untested plan is treated as no plan. The plan should name owners, list current contacts, and be stored both onsite and offsite (or in resilient cloud storage) so it is reachable when primary facilities are down.

Trap: A plan that looks comprehensive but has never been exercised, or whose contact list is two years stale, fails in practice. The strongest answer pairs a documented plan with periodic exercises and updates.

Governance, Dependencies, and the Continuity Program

Business continuity is a management program, not a single document, and CISM frames it that way. Senior management owns and funds the BCP; the information security manager and a business continuity coordinator facilitate, but the authority to invoke and the accountability for outcomes rest with leadership. A BCP imposed by IT without business buy-in fails because the business units who must execute alternate procedures were never consulted.

Third-Party and Supply-Chain Dependencies

Modern continuity often depends on parties outside the organization, cloud providers, payment processors, logistics partners, managed service providers. The BCP must account for these by reviewing the continuity capabilities of critical suppliers, confirming that contracts and service-level agreements include recovery commitments, and avoiding single points of failure where one vendor's outage halts a critical process. A scenario where a key supplier has no continuity plan is a real exposure the security manager must raise, not ignore.

Crisis Management and Decision Authority

During a major disruption a crisis management team of senior leaders makes enterprise-level decisions, declaring the event, authorizing spend, approving external statements, while the BCP and DRP teams execute. The plan must pre-assign these roles with named alternates, because key people may be unavailable during the very event the plan addresses. Out-of-band communication methods (offline contact lists, alternate phone trees, secure messaging) matter when normal email and phones are down.

Maintaining the Program

Keeping the BCP effective is continuous work:

• Scheduled reviews (at least annually and after major change) keep scope and contacts current.
• Exercises validate that people can execute, not just that the document reads well.
• Integration with change management ensures new systems and processes inherit continuity coverage.
• Storage resilience keeps copies offsite and accessible when primary facilities are lost.

BCP, DRP, and IRP Working Together

A frequent point of confusion is how the BCP relates to the incident response and disaster recovery plans. The IRP handles security events and may escalate into the others; the DRP restores the technology the business depends on; the BCP keeps the overall business functioning through the disruption. A large ransomware event can invoke all three at once: the IRP coordinates containment and investigation, the DRP rebuilds clean systems from protected backups, and the BCP keeps customers served through alternate processes while recovery proceeds.

The security manager ensures these plans are consistent, reference the same priorities, and do not contradict each other on who has authority.

The overarching CISM message: continuity protects the business mission, decisions are owned by management and grounded in the BIA, people come before property, and a plan is only as good as its most recent successful test.