A business continuity plan (BCP) is a plan designed to help an organization continue to operate during and after a disruption. The disruption can be an intentional attack or a natural disaster. The goal is a continuation of operations.
BCPs can address any type of disruption or disaster. Organizations that operate near a Southern U.S. coast plan for hurricanes, businesses in the heartland’s “tornado alley” plan for tornadoes, Californians plan for earthquakes, and everyone plans for fires.
Disruptions can also be from attacks or failures. A critical server going down could have been caused by an attacker through the Internet, a malware infection, or a hardware or software failure. If the server is a CBF, the BCP needs to ensure that plans are in place to get it operational as soon as possible.
The scope of the BCP includes a global view of the organization and the information technology (IT) systems, the facilities, and the personnel, which is not to say that all elements of an organization must continue to operate during a disruption. Instead, this means that the BCP examines all elements and then identifies the elements that are mission critical and need to continue to operate. Non–mission-critical elements that do not need to continue aren’t addressed by the BCP.
The scope of the BCP can be limited to certain parts of an organization. For example, it could include just a specific location or specific CBFs. However, the BCP is focused on the overall business functions rather than just the individual IT systems.
Mission-critical systems are those identified as critical to the mission of the organization to keep the organization functioning. The term mission critical can also apply to functions or processes.
A business impact analysis (BIA) is included as part of a BCP. The BIA has several key objectives that directly support the BCP. These include:
All of these objectives come together in the BCP to align the organization’s priorities. The BIA identifies the mission-critical systems, applications, and operations, and the BCP provides the plan to ensure that they continue to operate even if a disaster strikes.
Similarly, the BCP includes disaster recovery plans (DRPs), which help the organization restore IT services after the disaster. Any organization can create its BCP using procedures that match its needs. However, the overall steps of a BCP are: