Business Continuity & Disaster Recovery 101

Even when all else fails, there is still hope! Business Continuity Planning and Disaster Recovery Planning are here as the last resort to protect your business.

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are an organization’s last corrective control when all other controls have failed! BCP/DRP may prevent or provide a remedy for force majeure circumstances such as injury, loss of life, or failure of an entire organization.

Furthermore, BCP/DRP provide the advantage of being able to view the organization’s critical processes and assets in a different, often clarifying light. Risk analysis conducted during a BCP/DRP plan stage often leads to immediate mitigating actions.

An eventual potentially crippling disaster may have no impact due to prudent risk management steps taken as a result of thorough BCP/DRP plans.


Developing a Business Continuity Planning and Disaster Recovery Planning are essential for a company’s responsiveness and ability to recover from an interruption in normal business functions or catastrophic events. In order to ensure that all planning has been considered, the BCP/DRP have a specific set of requirements to review and implement. Below are listed the high-level steps to achieving a sound, logical BCP/DRP:

  • Define Project Scope;
  • Business Impact Analysis;
  • Identify Preventive Controls;
  • Recovery Strategy;
  • Plan Design and Development;
  • Implementation, Training, and Testing;
  • BCP/DRP Maintenance.

what is the difference between BUSINESS CONTINUITY and DISASTER RECOVERY?

Business Continuity Planning will ensure the business will continue to operate prior to, during, and after a disaster happens.

The focus is on the business in its entirety and making sure critical services and functions provided by the business will still be performed, both if threatened by disruption as well as after the threat has subsided.

Organizations need to consider common threats to their critical functions as well as any associated vulnerabilities that might facilitate a significant disruption. Business Continuity Planning is a long-term strategy for continued successful operation despite inevitable threats and disasters.

Disaster Recovery Planning– while Business Continuity Planning is responsible for the strategic, long-term, business-oriented plan for uninterrupted operation when faced with a threat or disruption, the Disaster Recovery Planning will provide the tactics. In essence, DRP is a short-term plan for dealing with specific IT-oriented outages.

Mitigating a virus infection with a risk of spreading is an example of a specific IT-oriented disruption that a DRP must address. The focus is on efficiently mitigating the outage impact and the immediate response and recovery of critical IT systems. Disaster Recovery Planning provides a means for immediate response to disasters.


The relation between BCP & DRP – the BCP is an all-inclusive plan that includes, amongst multiple specific plans, the DRP – the importance stems from the fact that the focus and process of these overlap critically.

Continual provision of business-critical services facing threats is achieved with the aid of the tactical DRP. The plans, with their different scopes, are organically intertwined.

In order to distinguish between a BCP and a DRP one needs to realize that the BCP is concerned with the business-critical function or service provided by the company, whereas the DRP focuses on the actual systems and their interoperability so the business function is performed.


As mentioned before, the Business Continuity Plan is an umbrella plan that contains other plans, in addition to the Disaster Recovery Plan:

Continuity of Operations Plan (COOP) – describes the procedures required to maintain operations during a disaster. This includes the transfer of personnel to an alternative disaster recovery site and operations of that site.

Continuity of Support Plan – focuses narrowly on the support of specific IT systems and applications. It is also called the IT contingency plan, emphasizing IT over general business support.

Cyber Incident Response Plan (CIRP) – designed to respond to disruptive cyber events, including network-based attacks, worms, computer viruses, Trojan horses, etc.

Business Recovery Plan (BRP) – also known as the business resumption plan, details the steps required to restore normal business operations.

Crisis Communications Plan – used for communicating to staff and the public in the event of a disruptive event. Instructions for notifying the affected members of the organization are an integral part of any BCP/DRP.

Occupant Emergency Plan (OEP) – provides the response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property.

how does the testing work?


The Disaster Recovery Plan must be an actionable prescription for recovery. Writing the plan is not enough, thorough testing is needed. Information systems are in a constant state of flux, with infrastructure, hardware, software, and configuration changes altering the way the DRP needs to be carried out. Testing the details of the DRP will ensure both the initial and continued efficacy of the plan. The tests must be performed on an annual basis as an absolute minimum.

Review – the most basic form of initial DRP testing. It involves simply reading the DRP in its entirety.

Checklist – also referred to as consistency testing, lists all necessary components required for a successful recovery and ensures that they are, or will be, readily available should a disaster occur.

Walkthrough/Tabletop – the goal is to talk through the proposed recovery procedures in a structured manner to determine whether there are any noticeable omissions, gaps, erroneous assumptions, or simply technical missteps that would hinder the recovery process from successfully being carried out.

Simulation (aka Walkthrough Drill) – goes beyond talking about the process and actually has teams carry out the recovery process. The team must respond to a simulated disaster as directed by the DRP.

Parallel Processing – involves the recovery of critical processing components at an alternative computing facility, and then restore data from a previous backup. Regular production systems are not interrupted.

Partial & Complete Interruption – extreme caution should be exercised before attempting an actual interruption test. This test causes the organization to actually stop processing normal business at the primary location and use an alternative computing facility.