Business Continuity Plan

Many companies do not realize the importance of a business continuity plan (BCP) until an incident has occurred. A cybersecurity BCP includes a strategy of how the organization information technology would operate and recover after an incident that could be result of an intentional attack or caused by a natural disaster.

There are four critical steps when establishing a BCP, according to guidelines published by the Department of Homeland Security:

  • conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them
  • identify and document resource requirements, and implement strategies to recover critical business functions and processes
  • organize a business continuity team and compile a continuity plan to manage a business disruption
  • conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan

There are several recovery goals stated within a BCP, such as recovery point objective (RPO), recovery time objective (RTO), business recovery requirements, and technical recovery requirements. An RPO states how far back should an organization go in time in order to recover data after an incident. Think of clicking Ctrl+Alt+Shift+H on your computer in order to see the history of the websites you have visited. RTO is based on the idea of how long it takes to restore backup data to its original state in order to resume business operations.

One key component of an BCP is the well-being of employees. People should always be a priority when establishing a BCP. All other components of an organization can be replaced, rebuilt, or insured. According to the code of ethics of ISC2, the International Information System Security Certification Consortium, an information security professional must always "protect society, the common good, necessary public trust and confidence, and the infrastructure."


Department of Homeland Security. (n.d.). Business continuity plan.

ISC2. (n.d.) ISC2 code of ethics.

Check Your Knowledge

Choose the best answer to each question:
Question 1
Which of the following is established to help an organization restore its critical infrastructure after a disaster?
Question 2
According to the ISC2's code of ethics, an information security professional must always "protect society, the common good, and the infrastructure."
Question 3
The Department of Homeland Security states that there are four critical steps when establishing a BCP.
Question 4
What does a BCP help to protect during and after a disaster or disruption to an organization's critical infrastructure?
BCP, confidentiality, and RPO
RTO, RPO, and availability
CIA triad
availability, confidentiality, and RTO
Question 5
What addresses potential loss (both direct and indirect) that could be caused by a disaster?
CIA triad